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Abstract 


Concurrent Timestamp Systems (cTss) allow processes to temporally order concurrent events 
in an asynchronous shared memory system. Bounded memory constructions of a CTSS are 
extremely powerful tools for concurrency control, and are the basis for solutions to many co- 
ordination problems including mutual exclusion, randomized consensus, and multiwriter multi- 
reader atomic registers. Unfortunately, known bounded cCTss constructions seem to be complex 
from the algorithmic point of view. Because of the importance of bounded cTss, the rather 
involved original construction by Dolev and Shavit was followed by a series of papers that tried 
to provide more easily verifiable CTSS constructions. 

In this paper, we present what we believe is the simplest, most modular, and most easily 
proven bounded cTss algorithm known to date. The algorithm is constructed and its correctness 
proven by carefully reasoned use of several tools. Our algorithm combines the labeling method 
of the Dolev-Shavit cTss with the atomic snapshot algorithm proposed in Afek et. al, in 
a way that limits the number of interleavings that can occur. To facilitate our correctness 
proof, we introduce a specially tailored intermediate CTss specification using unbounded label 
values taken from the positive reals. Our correctness proof first shows that the real-number 
based specification meets the CTSs axioms. Using the forward simulation techniques of the 
I/O Automata model, we then show that our bounded algorithm implements the real-number 
based specification. Finally, we prove that any CTSS that meets the cTSs axioms can be used 
to implement multireader multiwriter atomic registers and first-some-first-serve (fcfs) mutual 
exclusion. 
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1 Introduction 


The paradigm of concurrent timestamping is at the heart of solutions to some of the most fun- 
damental problems in multiprocessor concurrency control. Examples of such problems include 
fcfs mutual exclusion [19], construction of a multireader multiwriter atomic register[34], and 
randomized consensus [8]. A simple bounded construction of a CTSs implies simple bounded 
solutions to most of these extensively researched problems. 

A timestamp system is somewhat like a ticket machine at an ice cream parlor. People’s 
requests to buy the ice cream are timestamped based on a numbered ticket (label) taken from 
the machine. Any person, in order to know in what order the requests will be served, can 
scan through all the labels and establish the total order among them. A concurrent timestamp 
system (CTSS) is a timestamp system in which any process can either take a new ticket or scan 
the existing tickets simultaneously with other processes. Furthermore, a CTSS is waitfree, which 
means that a process is guaranteed to finish any of the two above mentioned tasks in a finite 
number of steps, even if other processes experience stopping failures. Waitfree algorithms are 
highly suited for fault tolerant and realtime applications (see [16]). 

Israeli and Li, in [17], were the first to isolate the notion of bounded timestamping (time- 
stamping using bounded size memory) as an independent concept, developing an elegant theory 
of bounded sequential timestamp systems. Sequential timestamp systems prohibit concurrent 
operations. This work was continued in several interesting papers on sequential systems with 
weaker ordering requirements by Li and Vitanyi [26], Cori and Sopena [9] and Saks and Za- 
haroglou [35]. Dolev and Shavit [11] were the first to define and construct a bounded concurrent 
timestamp system. However, to quote [12]: “Their algorithm is ingenious but its proof is long 
and involved.” 

Because of the importance of the bounded concurrent timestamping problem, the original 
solution by Dolev and Shavit has been followed by a series of papers directed at providing a 
simpler bounded crTss algorithm. Israeli and Pinchasov [18] have simplified the [11] algorithm 
and its proof by modifying the labeling scheme of [11], introducing a new label scanning method, 
and simplifying the ordering-of-events based formal proof [23] by reasoning about global states 
(However, it still takes over 40 pages...). Dwork and Waarts [12] have taken a totally different 


approach, by having their bounded construction simulate a new and simpler type of unbounded 


CTSS construction in which processes choose from “local pools” of label values instead of a 
“global pool” as in [11, 18]. However, in order to bound the number of possible label values 
in the local pools, they are forced to introduce a form of amortized garbage collection. This 
greatly complicates their algorithm. (Their algorithm only has an informal operational proof.) 

In this paper, we present a novel bounded algorithm that we believe is the simplest, most 
modular, and most easily proven CTsS algorithm known to date. Our basic approach is to 


decompose the problem into several distinct pieces. 


e We base our algorithm on the atomic snapshot primitive introduced by Afek et. al [1] 
(we use it as a black box). This primitive is waitfree and allows a process to collect an 
“instantaneous” view of an array of shared registers. [1] gives an implementation of this 
primitive from atomic single writer multireader registers. By using a snapshot primitive, 


we limit the number of interleavings that can occur. 


e The labeling operation, the operation of choosing a new label given a set of older ones, is 
very complex in all former algorithms. Based on the snapshot operation, we introduce a 


much simplified version of the labeling algorithm of [11]. 


Proving that the bounded algorithm satisfies the crss specification has in the past led 
to long and involved inductive arguments. We overcome this problem by introducing a 
CTSS specification, that uses label values taken from the unbounded positive reals. Our 
correctness proof first shows that the real-number based specification meets the CTSS 
axioms of [11]. Using the forward simulation techniques of the I/O Automata model, we 
then show that our bounded algorithm implements the real-number based specification. 


(See [30] for references and a discussion of forward simulation techniques.) 


The most efficient bounded crss implementations [12, 18] require O(n) time per operation. 
Though one might think that a high price in complexity must be paid for our algorithm’s 
modularity and ease of proof, this is not the case. The size of the labels is O(n), and the time 
complexity of our algorithm is just that of the underlying atomic snapshot algorithm. The 
snapshot implementation of [3] requires O(n,/n) single writer multireader register operations 


per snapshot operation. Hence the complexity of our algorithm is O(n,/n) for each operation. 


The final section of this paper considers some applications of the CTss primitive. We present 
specific algorithms for fcfs mutual exclusion and multireader multiwriter atomic registers and 


prove that any CTSS can be used as a primitive in these algorithms. 


2 I/O Automata Model 


We present our algorithm in the context of the I/O Automata model. This model, introduced 
by Lynch and Tuttle [29], represents algorithms as [/O Automata which are characterized by 
states, initial states, a set of actions called an action signature, state transitions called steps and 
an equivalence relation on some of the actions of the action signature called a partition. For 
a I/O Automaton A its five components are denoted by states(A), start(A), sig(A), steps(A), 
and part( A) respectively. 

A step that results from an action is denoted by (s, 7, s’) where s is the original state, 7 is the 
action, and s’ is the new state. If an action can be executed in a state s, it is said to be enabled in 
s. If an action is not enabled in state s, it is said to be disabled in s. Actions are classified into 
external actions, ext(A), those visible to user of the algorithm, and internal actions, int( A), 
which are not visible to the user. External actions are further classified into input actions, 
in(A), which are under the control of the user of the algorithm, and output actions, out( A), 
which are under the control of the algorithm. By definition input actions are enabled in all 
states. For an I/O Automaton A the tuple consisting of in(A) and out(A) is called A’s external 
action signature, exsig(/ A). We now give a more precise definition for some of the elements of 
an I/O Automaton. Specifically, for an I/O Automaton A, sig(A) = (in(A), out(A), int(A)). 
Furthermore, part( A) defines an equivalence relation on the set of internal actions and output 
actions of A. Finally, we define acts(A) = in(A) U out(A) U int(A). 

An ezecution of an I/O Automaton is an alternating sequence of states and actions that 
could be produced if the algorithm is executed starting from an initial state. A state is called 
reachable is it is the final state of some execution. A fair execution, a, of infinite length is one 
in which for all C € part(A), if some action from C' (not necessarily always the same action) 
is continuously enabled, @ contains infinitely many actions from C’. A fair execution of finite 
length is one in which for all C € part(A) no actions of C are enabled in the final state. A 


schedule, sched(a), is the projection of an execution a onto the actions of the I/O Automaton. 


A fair schedule, fairsched(a), is the projection of a fair execution a on the actions of the I/O 
Automaton. A behavior, beh(a), is the projection of an execution a onto the external actions of 
the I/O Automaton. A fair behavior, fairbeh(a), is the projection of a fair execution a on the 
external actions of the I/O Automaton. The set of all possible behaviors of an I/O Automaton 
A is called behs(A). The set of all possible fair behaviors of an I/O Automaton A is called 
fairbehs( A). 

In order to build complex I/O Automata from simple ones, the I/O Automata model defines 
the concept of composition. Composed I/O Automata interact using input and output actions 
that have the same name. Specifically, assume A and B are two composed I/O Automata. Let 
ACT be an output action of A and an input action of B. If A executes AcT this triggers the 
execution of AcT for B. In order to compose a set of I/O Automata, we must place certain 
restrictions on the action names the I/O Automata. Specifically, we require that none of the 
I/O Automata share any output actions, the internal actions of each I/O Automaton are not 
elements of the action sets of any other I/O Automaton, and no action can an element of the 
action sets of infinitely many I/O Automata (see [29] for a discussion of these restrictions). I/O 


Automata that satisfy these restrictions are said to be strongly compatible. 


Definition 2.1 Let J = {1...n}. A composition A = [] 4: of a countable collection of 


ie! 
strongly compatible I/O Automata {A;...A,} is the I/O Automaton defined as follows’: 
@ sig(A) = (U in(A;) — [J out(A;), J out(A,), J ins), 
ie! ier ier ie! 
e states(A) = [| states( Ai), 


te] 


e start(A) = [| start(Ai ), 


tel 
e steps(A) is the set of triples (1,7, $2) such that for all 2 if t € acts(A), 
then (8;[2], 7, S2[t]) € steps(A) and if  ¢ acts(A) then &[2] = $9[2]. 


@ part(A) = U;¢;part(A;), 


‘The [| symbol used to define states(A) and start(A) represents the normal Cartesian product. The notation 
a[t] denotes the i‘* component of the state vector 3. 


We sometimes do not want the actions that constitute the interface between two composed 
I/O Automata to be visible to the environment. Therefore, the I/O Automata Model makes it 
possible to reclassify output actions to be internal actions. Such reclassified actions are said to 
be hidden. 

The I/O Automata model represent a problem specification, P, as an external action sig- 
nature, ezsig(P), along with set of allowable behaviors, behs(P), on the actions in exsig( P). 
An I/O Automaton A is said to solve a problem specification P if ersig(A) = ezsig(P) and 
fairbehs(A) C behs(P). We say that an I/O Automaton A implements another I/O Automa- 
ton B if the fairbehs(A) € fairbehs(B). Our correctness proof uses the following theorem on 


simulation proofs which is a restricted version of a theorem in [29]. 


Theorem 2.1 Let A and B be I/O Automata with sig(A) = sig(B), part(A) = part(B), and 


R a relation over the states of A and B. Suppose: 
1. If a is an initial state of A, then there exists an initial state b of B such that (a,b) € R. 


2. Suppose a is a reachable state of A and b is a reachable state of B such that (a,b) € R. If 
(a,7,a’) is a step of A then there exists a state b' of B such that (b,7,6’) is a step of B 
and (a’,b‘) ER. 


3. If action m 1s enabled in state b of B and (a,b) € R then action x is enabled in state a of 


A. 
Then fairbehs( A) C fairbehs( B). 


The I/O Automata model, while providing efficient techniques for reasoning about the 
correctness of algorithms, is much more general than the shared memory model [23] for which 
our timestamp algorithm is designed. Consequently, we introduce some added structure to the 
I/O Automata model. This section describes the basics needed to understand our correctness 
proof. Section 9 provides a more sophisticated development of shared memory concepts in the 
I/O Automata model. Some of the concepts in this section and most of the concepts in Section 9 
are due to Goldman, Lynch and Yelick [15]. (See [28] for discussion of similar issues.) 

We first introduce a type of interface which will be used to characterize the external action 


signature of I/O Automata and problem specifications for the shared memory model. The 
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interface captures the intuitive notion of a set of processes that perform operations on behalf 


of some user. Typically, any process might be able to perform several types of operations. 


Definition 2.2 (operational interface) An operational interface is an external action sig- 
nature S that partitions its actions into disjoint sets called operation types. The set of operation 
types of S is denoted by ops(S). Each operation type consists of at least one input and one 


output action. a 


As a short hand, we will sometime use the term operation instead of operation type. Notice 
that an operational interface only describes an external action signature. Hence an operational 
interface can be used to describe both I/O Automata and problem specifications. If we compose 
two I/O Automata which have an operational interface, the set of operation types of the com- 
posed I/O Automaton is the union of the sets of operation types of each of the constituent I/O 
Automata. Again, we must add some restrictions on a set of I/O Automata being composed. 
Assume that we wish to compose I/O Automaton A and I/O Automaton B. We require that 
each action in acts(A)/M acts(B) be an element of the same operation type in A and B. Fur- 
thermore, if one action of an operation type of A or B is in acts(A)M acts(B) then all actions 


of that operation type are in acts(A) acts(B). An operation instance is defined as follows: 


Definition 2.3 (operation instance) Let @ be a behavior of an operational interface. Let a 
be an operation type of the operational interface. An operation instance is the occurrence of 
an input action of a and the first output action of a that follows the input action of a in the 


behavior ~. a 


We now introduce a set of notational conventions. Let S be an operational interface. For 
an operation type a € ops(S) we refer to the input actions of a by INVOKE(a,v) and the 
output actions of a by RESPONSE(a,r). The symbols v and r are syntactic placeholders for any 
arguments” that are used by this operation type. The I/O Automata and problem specifications 
that we consider typically allow several concurrent operations. We model concurrent operations 


with I/O Automata whose operational interfaces are structured as follows. Assume that A is an 


?Formally, v and r are used to uniquely identify the actions of operation type a. Intuitively, v and r represent 
arguments. The arguments v and r are syntactic placeholders since the I/O Automata Model does not have the 
concept of an argument. Arguments are implemented by having a separate action for each possible argument 
value. 
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I/O Automaton with an operational interface that can handle up to n concurrent operations. 
Then for each 7 € {1...n} there exists a non empty set of operation types 5; C ops(exsig(A)). 
S; and S$; are disjoint when i # 7. For each operation type a; € 5; we refer to the input actions 
of a; by INVOKE,(a;,v) and the output actions of a; by RESPONSE,(a;,7r). Intuitively there is a 
process, p;, associated with all actions whose names include the index 2. For the remainder of 
the section, assume that all I/O Automata have an operational interface as described above. 
We now define a set of concepts with which we can characterize the behaviors of I/O Au- 
tomata and problem specifications that have operational interfaces. Let A be an I/O Automaton 
or a problem specification with an operational interface. If 3 is a behavior of A, then f3; is the 


projection of 8 onto the actions that have the index i as part of their name. 


Definition 2.4 (well-formed) Let A be an I/O Automaton or a problem specification with 
an operational interface. A behavior 8 of A is well-formed if, for all @;, 8; consists of an 
alternating sequence of input and output actions, starting with an input action, such that 
each output action is immediately preceded by an input action of the same operation type. 
Specifically, if a; € ops(ersig( A)), each RESPONSE,(a;,7) action is immediately preceded by an 


INVOKE,(a;, v) action. a 


Definition 2.5 (well-formed-input) Let A be an I/O Automaton or a problem specification 
with an operational interface. A behavior @ of A has a well-formed-input if, for all 6;, there 


exist no two consecutive input actions. a! 


Definition 2.6 (well-formed-preserving) Let A be an I/O Automaton or a problem speci- 
fication with an operational interface. Let @ be a behavior of A. 2 is well-formed-preserving if, 


for all prefixes 6’ of @ that have a well-formed-input, (’ is well-formed. a 


We say that an I/O Automaton is well-formed-preserving if all of its behaviors are well-formed- 
preserving. Similarly, a problem specification is well-formed-preserving of all of its behaviors are 
well-formed-preserving. In addition to the safety properties described by the well-formedness 


concepts, we require the following liveness property. 


Definition 2.7 (response-live) Let A be an I/O Automaton or a problem specification with 
an operational interface. Let @ be a well-formed behavior of A. Then f is response-live if each 


INVOKE,(a;, v) action is eventually followed by a RESPONSE;(a;,7) action. | 
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We say that an I/O Automaton is response-live if all of its fair behaviors are response-live. 
Similarly, a problem specification is response-live of all of its behaviors are response-live. We 
can now define the following partial order on the operation instances of any well-formed and 


response-live behavior. 


Definition 2.8 (—+ order) Let § be a well-formed and response-live behavior of an I/O 
Automaton or problem specification with an operational interface. Let a; and b; be any two 
operation instances* in 3. In general a; and 6; can be instances of the same operation type. 
We say that a; —> 6; if and only if in the behavior @ the RESPONSE,(a,;,7) action associated 


with a; precedes the INVOKE;(b;,v) action associated with 5;. a 


The order — is the same as the precedes relation of 22, 23]. Since { is a well-formed behavior, 
all operations with same index are totally ordered by —>. 
An important type of I/O Automaton is called an atomic I/O Automaton. Before defining 


an atomic I/O Automaton we introduce the notion of a serial specification [38]. 


Definition 2.9 (serial specification) A serial specification is a set of finite and/or infinite 


sequences of operations. a 


Intuitively, a serial specification characterizes a behavior consisting of a set of sequentially 


executed operations. 


Definition 2.10 (atomic I/O Automata) An I/O Automaton A is atomic for a serial spec- 
ification S if A has an operational interface, is well-formed-preserving, and is response-live. 
Furthermore, for any behavior 6 € fairbehs(A) there exists a total order => on the operation 


instances in @ such that: 
1. => is consistent with —. 
2. The sequence consisting of the operation instances in 3 ordered by => is in S. 
a 


°We sometimes use the same name for operation instances and operation types. The meaning of a name will 
always be clear from context. 
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3 Concurrent Timestamp System 


The following is a formal definition of a crss due to Dolev and Shavit [11]. It uses the axiomatic 
specification formalism of Lamport [22, 23]. 

A cTss is a problem specification with an operational interface. A CTSsS that permits n 
concurrent operations has 2n operation types, specifically LABEL; and SCAN; for i € {1...n}. 
Each of these operation types consists of the following actions: LABEL; consists of the input 
action BEGINLABEL,(val;) and the output action ENDLABEL;. SCAN; consists of the input action 
BEGINSCAN; and the output action ENDSCAN,(@, 0). A LABEL; operation associates a value, val;, 
taken from any domain, V, with a label. In order correctly handle initial conditions the value 
domain V must specify some initial value v,. A SCAN; operation returns a pair (0,0), where 
0 = (v;...Un) is an indexed set of values (one per process), and 6 is an total order on these 
indexes. 

We now introduce some notation. In a particular behavior /, pl denotes the k"* instance 
of a LABEL; operation, and sit denotes the k** instance of a SCAN; operation. Furthermore, 
val!" denotes the value passed to operation LS), (The superscript [k] is used only for notation, 
and is not visible to the I/O Automaton). We call the superscript [k] an execution number. 
The domain of execution numbers is EF = {1,2,...}. Finally, we define a choice function, c, as 
a function mapping {1...n}x Ex {1...n} to EU {0}. Intuitively, the choice function provides 
a way to determine which operation wrote a value returned by a SCAN operation. Specifically, 


[a] (i,a,k)] 


; was written by the operation L le 


if c(t,a,k) # 0, the value », returned by operation S$ 
If c(t,a,k) = 0, then the value 1%, returned by operation sf is the initial value v,. 


The set of behaviors of a cTss, behs(cTss), is defined as follows: 
Definition 3.1 { € behs(cTss) if and only if: 

1. If 6 has a well-formed-input, then { is well-formed. 

2. If @ has a well-formed-input, then is response-live. 


3. If 8 is well-formed, then there exists a total order => on the set of all LABEL operations 


and a choice function c such that 6, => and c satisfy axioms PO-P4 given below. 
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Note: if @ does not have a well-formed-input, then @ can be arbitrary. 
In order to handle initial conditions, we let val"! = v, for all i, where v, is the initial value 


of the value domain V. Recall that execution numbers start with 1. 


PO choice function: For any value »% in v of Sf), y% = val Go! where val!” = U5: 


P1 ordering: => is a total order on the set of all LABEL operation instances in f, such that: 
a. precedence: For any pair of LABEL operation instances pi and he (where possibly i 
and j are the same index), if L!*! — Le then LI) => 1s 
b. consistency: For any SCAN operation instance sis that returns 0 and 6, if v;, v, € V: 
. . i . a Seer . [e(i,4,7)] {c(t,a,k)] 
c(i,a,j)>0 and c(i,a,k)>0: 7 < k in 6 if and only if L; ca ae Oe: : 


and c(i,a,k)=0: 7 < k in oif and only if 7 < k. 


ny 


) 
)=0 
)=0 and c(i,a,k)>O0: 7 <kin 
)>0 


and c(i,a,k)=0: k< jin 


ol 


c(i, a,j) > 


The above property implies that there is a unique total ordering on LABEL operation instances 
of all processes, which is a serialization order (part a), and with which all SCAN operations are 


consistent (part 5). 


P2 regularity: Let Che be a SCAN operation instance. If c(j,a,i) > 0, then gi a 
and there is no L,”! such that LEG2 — Tiles sh. If c(j,a,7) = 0, then there exists 


no Lf! such that L{)} — on 


Though a regular cTss (having properties P0-P2) would suffice for some applications (for ex- 
ample Lamport’s “Bakery Algorithm” [19]), a more powerful concurrent timestamp system is 
needed in applications such as the multireader multiwriter atomic register construction (see 


[24, 34]). To this end the following third and fourth axioms are added: 


P3 monotonicity: Let S!*) return u% = val") and sf return vy, = vall4)! (where 


possibly i = j). Then, $/*! — S!! and c(i,a,k) # c(j, 6, ) imply c(i,a,k) < c(j, 6, &). 


Note that c(i,a,k) < c(j,b,) implies that LEG) =, LPO) when e(i,a,k) > 0 and 


c(j,b,k) > 0. Monotonicity is the property that in a unbounded real number cTss can be 
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described by saying that the labels of any one process, as read by increasingly later SCAN 
operations, are “monotonically non-decreasing.” It is important to note that P3 does not 
imply that one can serialize all LABEL and SCAN operation instances. It does however imply the 
serializability of the SCAN operation instances of all processes relative to the LABEL operation 
instances of any one process [37]. P4 * is an extension of part of the regularity property to the 
=> order. The properties P3 and P4 together imply that all SCAN operations that consider 
only the “largest” value, where “largest” is based on the 6 ordering, can be serialized with 


respect to all LABEL operations. 


P4 => regularity: Let sf be a SCAN operation instance. If c(i,a,k) > 0, then sia — oe 


implies that Lf") = pP, 


4 An Unbounded Concurrent Timestamp System 


This section introduces a particular implementation of a concurrent time stamp system, UCTSS, 
that uses timestamps from #+. ucTss is introduced as an intermediary 1/O Automaton whose 
purpose is to simplify the correctness proof of our bounded cTss. 

The code for the operations of UCTSss is presented in two forms. Figure 1 presents the code 
in the precondition-effect notation commonly used to describe I/O Automata®. Figure 2 uses 
psuedocode. We use the precondition-effect notation as the basis for the correctness proof and 
include the compact and intuitive psuedocode only for clarity. 

The system models n processes indexed by {1...n}. Each process p; in UCTSS can perform 
a SCAN; and LABEL; operation. A LABEL; operation allows process p; to associate a label 
(timestamp) with a given value. A SCAN; operation allows process p; to determine the order 
among values based on their associated labels. The function NEWLABEL;, which is used by 
LABEL; is defined in Figure 3. A SNAP; operation, which is defined by Afek et al. in [1], 
atomically reads an array of single writer multireader registers. A UPDATE; operation, also 
defined by [1], writes a value to a single register in the array of single writer multireader registers 
44 more powerful cTss satisfying P4 is needed in applications such as the multireader multiwriter atomic 
register construction of [24, 34]. P4 is included in the journal version of [11], but is not included in the conference 
version of [11] or in [37]. 


*Borss is the name for our bounded cTss implementation. The name is included in the caption since the 
code in the figure is shared by BCTSS and UCTSS. BCTSS is introduced in Section 5. 
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Shared State: 
t;: The current label associated with process p,; initially 0. 

v3: The current value associated with process p,; initially v,. 

Local State: 

nt;: The new label for p; determined by function MAKELABEL,; initially 0. 

val;: The new value for p; passed to LABEL,; initially vo. 

i;: | An array of labels returned by SNAP,; initially (0...0). 

o;: An array of values returned by SNAP;; initially (v,...v,). 

6;: An array of process indexes ordered based on the < order; initially (1...n). 
pe;: The non-input action currently enabled; initially NIL. 

op;: The current operation; initially NIL. 


SCAN;: 
BEGINSCAN, Eff: op; — SCAN; 
pe; — SNAP;(t;, 0;) 
SNAP; (4;, 0;) Pre: pe; = SNAP;(t, 0) 
Eff: Vf op; = Scan; then 
6; «— the sequence of indexes where 
j appears before k in 0; iff (t;,7) < (tk, k) 
pc; — ENDSCAN,(6;, 0;) 
If op; = LABEL; then 
nt; — NEWLABEL,(t;) 
pe; — UPDATE,((t;, v;), (nt;, val;)) 
ENDSCAN;,(6;, 0;) Pre: pc; = ENDSCAN,(6;, 0;) 
Eff: pe; — NIL 
LABEL;: 
BEGINLABEL, Eff: op; — LABEL; 


pe; — SNAP;(t;, 0;) 


UPDATE;((t;, 0;), (mt;, val;)) Pre: pe; = UPDATE;((t;, 0;), (nt;, val;)) 
Eff: pe; — ENDLABEL; 


ENDLABEL; Pre: pce; = ENDLABEL; 
Eff: pe; — NIL 


Figure 1: Precondition-Effect code for uCTSS and BCTSS 
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SCAN; 
SNAP;(t;, 0;) 
6; — the sequence of indexes where j appears before k in 0; iff (t;,7) X (tk, k) 
return (0;, 0;) 


LABEL; (val;) 
SNAP;,(;, 0;) 
nt; — NEWLABEL,(t;) 
UPDATE, ((t;, u;), (nt;, val; )) 


Figure 2: Psuedocode for UCTss and BCTSS 


read by SNAP,;. SNAP; and UPDATE, are waitfree, therefore their use does not compromise the 


waitfree properties of our timestamp algorithm. 


NEWLABEL, (t;) 
ifi t+ imon 


then return (tmar + X) where X is nondeterministically selected from 7° 


Figure 3: Code for NEWLABEL,; of UCTSS 


The state of ucTss is defined by the shared state and the local state of each of the n process. 
The shared and local state of each process, along with the initial values are defined in Figure 1. 
The state of ucTss also has derived variables tmaz and imar- tmaz = MAX(t1...tn) and tmaz is 
the largest process index 7 such that t; = tmaz. 

In terms of the I/O Automata model, ucTss is an I/O Automaton with an operational inter- 
face. UCTSS is a composition of n I/O Automata called p,,..., Pn. Each p; is an I/O Automaton 
with an operational interface that consists of the operation types LABEL; and SCAN;. The LABEL; 
operation type consists of the input action BEGINLABEL,(val;) and the output action ENDLABEL,. 
The operation type SCAN; consists of the input action BEGINSCAN, and the output action 
ENDSCAN,(6;,0;). The internal actions of p; are SNAP;(é;,0;) and UPDATE,((t;, v;), (nti, val;)). 
The set steps(p;) is characterized by the precondition clause in each action. The set part(p;) 
consists of a single equivalence classes C; where the elements of C; are the actions SNAP,(t;, 0%), 
ENDSCAN;,(6;, 0;), UPDATE;((t;, v;), (nt;, val;)), and ENDLABEL;. The set states(p;) is the set of 


all possible states of p; where each state is defined by the values of the variables of the shared 
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and local state. The set start(p;) is the set consisting of the state defined by the initial values 
of the variables of the shared and local state. 

The shared state is accessed only using the atomic SNAP; and the UPDATE; actions. Since 
SNAP; and UPDATE; are atomic, each action of UCTSS is atomic. Notice that the SNAP; action 
makes references to the elements of the vector ¢; indirectly through the use of imaz and tmaz and 
in order to calculate 6;. Since SNAP; is atomic, the labels in ¢; are the same as the corresponding 
labels in the shared state. In other words, t;, = t; during the action. Consequently, we refer 
directly to the shared variables ina,, tmaz, and ¢; rather than their copies 7;,,, t;,,,,, and t, 
when analyzing the SNAP; action. 

UCTSS uses labels that are non-negative real numbers. The ordering between labels is the 


usual < order of R+. The ordering < used in the ORDER, action is a lexicographical order 


between label and process index pairs. 
Definition 4.1 (< order) (€;,1) < (@;, j) iff ¢; < ¢; or £; = ¢; andi <j. . 


We now prove some characteristics of < that will be used to prove that UCTSS solves CTSs. 
First consider the following notation: t!! is the label written as a consequence of the Lf 
operation. When a = 0, then {0 is equal to the initial value for labels, which for UCTss is 0. 
LE\(uppate) refers to the UPDATE; action executed as a consequence of the Lil operation and 
L{"\(swap) refers to the SNAP; action executed as a consequence of the Lf operation. Similarly, 
S!l(snap) refers to the SNAP; action executed as a consequence of the $f) operation. The SNAP 
and UPDATE actions model two atomic operations. In the usual model for atomic operations 
[23], each operation is separated into a request (input) action and a response (output) action, 
concurrent operations executions are allowed, and it is assumed that every request eventually 
terminates in a matching response, in such a way as to produce the illusion of instantaneous 
operations. Consequently, we model SNAP and UPDATE as single actions rather than separate 
input and output actions. We present a formal justification for treating SNAP and UPDATE 
operations as single actions rather than separate input and output actions in Section 9. Since 
SNAP and UPDATE are single actions, there exists a total order on all SNAP and UPDATE actions. 
We represent this order by =>’. If a SNAP action returns the set of values, 0, and labels, ¢, then 
v, and t, are the value and label written by the UPDATE, action that immediately proceeds 


the SNAP action in the =>’ ordering. If a SNAP action is not proceeded by an UPDATE, action, 
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then v, and ¢, are equal to their initial values. 


Lemma 4.1 Consider any well-formed, response-live behavior 3 where 3 € fairbehs(UCTSS). 
For any i,a and SNAP operation L! (snap), if either a > 0 and L{*(uppaTe) =>’ LP\(snap) 


in B, ora =0 then: 
1. (t{),i) <« (tf, 7) when i F j. 


2. (ti) = (1,5) or (t{", i) « (t", 7) when i = j. 
Proof: Let tmaz and imarz be the tmar and tmar used in NEWLABEL; for ie Since @ is well- 
formed, each process must read its current label when determining its new label. This fact, 
along with the fact that X in NEWLABEL, is in R?°, shows that the labels for all process are 
nondecreasing. In other words, a label for some process in a particular state of @ is never larger 
than the label for the same process in a subsequent state of 3. Thus tf") <tnaz When a = 0. 


When a > 0, LE\(uppate) =! LP (snap) shows that tf < tnaz- Consider the following 


Cases: 


J =tmnar and i# j: When 7 = tnaz, then thas = ghee, Recall that tf) < tmaz. Consider the 


cases t{*) = #,,, and t!*! < Trap separately. When t!*! = Z,,a,, then, since Z,, = aaa 


i! = ee Furthermore, since 1 # j and j = tar, 2 # tmar- Since J = tnac, 2 F# maz 
and {a = ay the definition of ima, shows that 7 < 7. As a result of the action i, 
le = Tras. Hence, t{) = io and « < j which implies that (t{"!, i) < (tf, 3). Now 
consider the case t!*! < #,,,. As a result of the action Dee a = tar. Hence t{! < ve 


which implies that (t!*),i) <« (tf, 3). 


j =tmar and i= j: Asa result of the action i and the fact that 7 = tmaz,; De = tmar- Since 
t!*] < Taz, it must now be the case that ¢!*! < aM, This implies that (t{4,i) = (t?"!, 3) or 
Ge i) < (ef, 3). 


J #tmar: As a result of the action i and the fact that 7 4 tmaz,tmaz < ay Since {4 < tae; 


it must now be the case that t/*) < ioe This implies that (t/"),i) < (e!"!, 9). 
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Corollary 4.2 Consider any well-formed, response-live behavior 3 where 3 € fairbehs(UCTSS). 
For any two LABEL operations LY and ‘Aas of Lf — Be in B, then: 


1. (tf, 3) < (!", 7) when i F j. 


2. cp i= (tf, 3) or (is, N< (¢!), 5) when i = j. 


J 


Proof: If 1/7! — L?!, then L/(upparz) =>’ LM (snap). Now Lemma 4.1 proves the 


corollary. = 


Consider any well-formed, response-live behavior 3 where f € fairbehs(uCcTSs). Define =>’, 
a total order on all the SNAP and UPDATE operations of 3, as before. We now define a total 
order® => on the LABEL operations in @ and a choice function c. Recall from Definition 2.8 that 


—> defines a partial order on the operation instances of a well-formed, response-live behavior. 
Definition 4.2 (= order) L!! => Ag iff either L/*) — i or (tf"),i) « (ef, 9). 7 


Definition 4.3 (choice function c) If 5!*) returns 6 and L!\(uppate) is the UPDATE; action 
that immediately proceeds S/\(swap) in =>’, then c(t,a,j) = b. If no such UPDATE, action 


exists, then c(i,a,7) = 0. = 


For the following lemmas assume that f is well-formed, response-live, 3 € fairbehs(UCTSS), and 
— is defined as in Definition 2.8. Furthermore, => and c are defined as in Definition 4.2 and 


Definition 4.2 respectively. 


Lemma 4.3 The order = is a total order on all LABEL operation instances in f. 


Proof: In order to simplify the notation in this proof, we write L!”] < ii instead of (¢!), i< 
(¢!, 3). Since —> is a partial order, it is irreflexive, antisymmetric, and transitive. By definition, 


< is irreflexive, antisymmetric, and transitive. 
irreflexive: This follows immediately from the fact that —> and < are irreflexive. 
antisymmetric: To reach a contradiction assume that LY! => Le and ae => imap Since 


— and < are antisymmetric, we can assume without loss of generality that Lf — i and 


®Lemma 4.3 proves that => is a total order. 
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ra < Lf, Using the fact that L!*! — A along with Corollary 4.2 we can conclude that 
L¢ 1 or Li) = age However, this contradicts the fact that i < LE), 


transitive: For a contradiction assume that L!*! => i and i —> 1!) put LE & LE. 
Consider the case where Li — Be and ag < Li but Lf wa LI and Lf K i 
Corollary 4.2 and the fact that L/] — Ee imply that LI) « ie or LI) = ry This fact 
along with the fact that ‘ne < Li! implies that L!! < L. This contradicts that earlier 
assumption that Li K LI, Since — and < are transitive, the only other case is Lf < Lt 
and A — LE put 2) LI! and LI! £€ LF. We use the same reasoning as in the 


previous case to show that this case also cannot arise. 


total: Consider any two label operations L!*) and Ee When i # 7 then LI) and iy are 
ordered by <. When i = j then L!*! and Ae are ordered by —. 
Since => is irreflexive, antisymmetric, transitive and total, we can conclude that => is a total 


order. a 
Lemma 4.4 ( using the order => and choice function c satisfies ariom PO. 


Proof: This follows immediate from the definition of c, the fact that 2 is well-formed, and 


the definition of the SNAP and UPDATE actions. a 
Lemma 4.5 £ using the order => and choice function c satisfies ariom P1. 


Proof: In order to simplify the notation in this proof, we write Li! < Le instead of (2!) iN< 
(t}", 3). From Lemma 4.3 we know that => is a total order. Part a of P1, precedence, follows 
immediately from the definition of =>. For part b of P1, consistency, let sil return 0;. There 


are four cases to consider: 


c(i,a,j)#0 and c(i,a,k)#0: > If 7 < k in 6; then, by the definition of 6; in the SNAP; 


e(t,a,k)} 


(ak! By definition of => this shows that pire) = 1} 


action, poe < L 


Tp DOs LOOP then ither D) el a Pe gy gee ee en, 
When Lf] _, rl Corollary 4.2 and the fact that j # k show that 1/7) < 
LEO*l Now j < k in 6; since Bee) Pe gaa 
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c(i,a,j)=0 and c(t,a,k)=0: In this case the definition of c show that the ¢; and f; read 
by S!l(swap) are equal to their initial values, which are 0. Now the definition of 6; in 


the SNAP action shows that 7 < k in 6, if and only if 7 < k. 


c(i,a,j)=0 and c(t,a,k)40: Lemma 4.1 shows that qi 5) < (efetoe a) k). Now the 


definition of 6; in the SNAP action shows that j < k in 6;. 


c(i,a,j)#0 and c(i,a,k)= 0: Lemma 4.1 shows that (¢{°¢?")) k) < (feel 5). Now the 


definition of 6; in the SNAP action shows that k < 7 in 0;. 


Lemma 4.6 £ using the order => and choice function c satisfies axiom P2. 


Proof: Consider sf with c(j,a,7) > 0. By definition of c, LEO uppare) =>’ Sfl(snap). 
Hence gel + Ll In order to prove that the second part of the axiom holds for 8 
we assume that there exists L/! such that L&°*! —_, p%) — gi. This implies that 
LEO°"'uppate) =>’ LP (uppate) =>’ S!l(sxap), which directly contradicts the defini- 
tion of c. Now consider Oo where c(j,a,7) = 0. The definition of c shows that there exists no 
LE(uppate) such that L!!(u PDATE) =>’ s*\(snap). Consequently, there exists no L{*! such 
that Lf! — gf. 7 


Lemma 4.7 § using the order => and choice function c satisfies axiom P3. 


Proof: Consider 5/7! — sf), where c(i,a,k) > 0. By definition of c, Le? yppate) =>’ 
S!l(snap) =>’ SP (snap). Now the definition of c and the fact that c(i,a,k) # c(j, 6, k) imply 
that c(i,a,k) < c(j,b,k). When c(i,a,k) = 0 the fact that c(i,a,k) # c(j,6,k) immediately 
shows that c(t,a,k) < c(j, 6, k). 7 


Lemma 4.8 § using the order => and choice function c satisfies axiom P4. 


Proof: Since $f") — aus Si(snap) =>! L)\(snap). Furthermore, the definition of c 
and the fact that c(i,a,k) > 0 imply that L£?"(uppare) =>’ S!!(snap). Consequently, 
LEO uppaTre) =>’ Ll (snap). Now Lemma 4.1 implies that (£*)), k) « (ef), 3). There- 


fore the definition of => implies that Lfra*l = i, a 
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Lemma 4.9 If a behavior B, where B € fairbehs(uCTSS), has a well-formed-input, then 1s 


well-formed and response-live. 


Proof: Notice by inspecting the precondition clauses in the code of Figure 1 that for any 
equivalence class C; of part(ucTss), there is always at most one action enabled. Furthermore 
each action remains enabled until it is executed. Consequently, the actions must be executed in 
the sequence in which they are enabled. Furthermore, in a fair execution each enabled action 
will eventually be executed. 

Now consider any fair execution that has a well-formed-input. The precondition-effects code 
in Figure 1 shows that the following sequence of actions is executed in response to a BEGINSCAN; 
input action: SNAP,(t;,%;) and ENDSCAN,(0;,0;). In response to a BEGINLABEL,(val;) input 
action, the following sequence of actions is executed: SNAP,(t;, 0;), UPDATE,((t;, v;), (nt,, val;)), 
and ENDLABEL;. Also, no actions of C; are enabled between the execution of an ENDSCAN,(6;, 0;) 
or ENDLABEL; action and the next execution of a BEGINSCAN; or BEGINLABEL,(val;) action. 
Inspection of these action sequences and the definitions of well-formed-preserving and response- 


live, immediately shows that ucTss is well-formed-preserving and response-live. | 


We now have the necessary lemmas to show that UCTSS solves CTSS. 


Lemma 4.10 UCTSS solves CTss. 


Proof: By inspection ezsig(ucTss) = ezsig(cTss). In order to show that fairbehs(ucTss) C 
behs(CTSS) we consider any behavior f such that # € fairbehs(UCTSS). If 8 does not have a well- 
formed-input, then @ € behs(crTss) trivially. So, assume that 3 has a well-formed-input. Now 
Lemma 4.9 shows that / is well formed. Define an order => and achoice function c as in Defini- 
tion 4.2 and Definition 4.3 respectively. Now, Lemma 4.4, Lemma 4.5, Lemma 4.6, Lemma 4.7, 


and Lemma 4.8 show that 6, => and c satisfy axioms PO-P4. Hence f € behs(cTss). z 


5 <A Bounded Concurrent Timestamp System 


In this section we present our bounded implementation of a concurrent timestamp system, 
BCTSS. BCTSs differs from UCTSs in three ways: the structure of the labels, the order between 


labels, and the manner in which NEWLABEL; determines new labels. In all other aspects BCTSS 
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Figure 4: A graphical illustration of the <4 order between the elements of A = {1...5} 


and UCTSS are identical. Recall that a label in uCTSS is an element of R*+. In BcTssS, labels 
are taken from a different domain. In order to construct the new domain we introduce the set 
A = {1...5}. We define the order <4 and the function NEXT on the elements of A. 

1 ~y 2,3,4,5;  2~,3,4,55 344; 4,45; 5K, 3. 
The graph in Figure 4 represents ~,, where a <, b iff there is a directed edge from 6 to a. 


k+1 ifke {1,2,3,4} 
3 ifk=5 


NEXT(k) = 


A BCTSS label is an element of A"~', where n is the number of processes in the system. We refer 
to elements of A"~’ using array notation. Specifically, the h‘* digit of label £ will be denoted 
by é[h]. Since we have redefined the label type, we must specify the order that is to be used 
between elements of A"~! for the < order in the SNAP; action. The order between elements of 


A’! is represented by the symbol < and will be a lexicographical order based on <4. 


Definition 5.1 (< order) £; < @; iff there exists h € {1...n —1} such that é;[h’] = @;[h’] for 
all h’ < hand @;[h] <4 £;[A}. = 


Example 5.1 4...4.5.2~4...4.3.1 
Lemma 5.1 If, and ¢, are elements of A"—' then exactly one of the following is true: €, ~ ea, 
£5 ~< Ay, or ay = fy. 


Proof: If a,b € A, then by definition of <4 exactly one of the following is true: a@ <, b, 


b <, a or a=b. The lemma now follows since < is a lexicographical order defined by <4. @ 
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We define the following notation and functions for BCTss labels: 


Definition 5.2 (2 equivalence relation) For any h € {0...n—1}, 4% 2 ¢, iff & [h’] = £o[h’} 
for all h’ < h. Note that £, "=" £, implies that £, = . 7 


Definition 5.3 (NEXTLABEL) For any h € {1...n— 1}, @ = NEXTLABEL(E,h) iff £ "ag, 


é'[h] = Next(€{h]) and é[h’] = 1 for all Ah’ € {h41...n— 1}. 7 


Definition 5.4 (cycLe) For any h € {1...n— 1}, @ € cycie(é,h) iff "=" £ and é’{h] € 
{3,4, 5}. a 


Lemma 5.2 A set L of labels is not totally ordered by < iff there exist €,, l,l, € £L and 
h€ {1...n—1} such that €, "=" 0, "=" lg and {£,[h], €o[h], £5[h]} = {3, 4, 5}- 


Proof: = The < ordering on CL is irreflexive by definition and antisymmetric by Lemma 5.1. 
Therefore, it must be that transitivity does not hold. Specifically there exist €,, 2,03 € £ 
such that £; < f) ~< é3, and €, & é3. By Lemma 5.1 it cannot be that £; = é3, therefore 
£3 ~< €,. Since < is a lexicographical order, there must exist h € {1...n — 1} such that 
é, "=" @, "=" bs and £:[h] <4 fo[h] <4 &3[h] and €[h] 44 3[h]. Now by definition of A, 
{é,{h], €a{h], éslh]} = {3,4,5}. 

< By definition of A we can conclude without loss of generality that £,[h] <4 f.[h] <4 3[h] 
and £;[h] 44 £3[h]. Since ¢, ‘=! é, a} é3 and ~ is a lexicographical order, £; < f2 < 3, and 


£, A l3. Hence, €,, 2, and 3 are not totally ordered. a 


We now define some functions on the states of BCTSs. In order to reason about the states 
of the system we introduce the notation b.2 to refer to the variable z in state b. For a state b 


and any label @ in state b: 


Definition 5.5 (AGREE) For any h € {0...n—1}, AGREE(b.£,h) = {j| b.t; = 5-4}. a 
Definition 5.6 (NUM) For any h € {0...n — 1}, NuM(b.é,h) = |AGREE(O.£, h)}. 2 
Definition 5.7 (NuM;) For any h € {0...n— 1}, NuM,(b.£,h) = |AGREE(b.£,h) — {i}]. a 


Definition 5.8 (choice vector) A choice vector for state b is any vector (b.¢;...6.€,) such 


that 6.2; € {b.t;,b.nt;} for each 2. a 
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FULL,(h), Ah € {1...n— 1} 
if NUMi(tmaz,h) >n—-—h 
then return (true) 
else return (false) 


NEWLABEL;,(t;) 
a 
then h’ — minimum h € {1...n — 1} such that FULL,;(h) = true 
return (NEXTLABEL(tmaz,h’)) 


Figure 5: Code for NEWLABEL, of BCTSS 


Definition 5.9 (TOT) TOT(b) = true iff the set of values in every choice vector is totally 


ordered by <; otherwise TOT(b) = false. ce) 


Recall that the second difference between UCTSS and BCTSS is the < order that is used in 


SNAP;. We define < for BCTSS lexicographically. 
Definition 5.10 (< order) (¢;, 1) < (¢;, 7) iff either @; < €; or f; = @; andi <j. a 


In any state 6 in which TOT(b) = true, < defines a total order. 

We now define b.tmaz and b.i,4, for a state, b, in which TOT(b) = true. Consider the choice 
vector (b.t;...6.t,). Since TOT(b) = true, there must exist 7 € {1...n} such that, for all 7 #7 
and j € {1...n}, b.t; < 6.t;. Let b.tmaz = 6.t;. Let b.imar be the largest index j such that 
b.t; = b.tmar- 

The final difference between BCTss and UCTSsS is in the code for NEWLABEL,. Recall that in 
UCTSS, NEWLABEL,; nondeterministically picks a real number that is larger than t,,4,. In BCTSS, 
NEWLABEL; also picks the new label based on tmar. In states in which TOT(b) = true, b.tmar 
and 6.t,,4, are defined. We let NEWLABEL; be a no-op for states in which TOT(b) = false. In 
Section 6 we will show that ToT(b) = true for all reachable states. When imax is defined and 
1 # tmar, NEWLABEL, finds the minimum h such that at least n — h t-labels, excluding t;, agree 
with the prefix of tmaz up to and including the h** digit. Then the new label is the same as 
tmaz for the first h — 1 digits, it differs from t,,,, at the h'® digit based on the function NEXT, 


and its remaining digits are equal to 1. The code for NEWLABEL, of BCTsS is given in Figure 5. 
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NEWLABEL, finds the minimum integer h such that FULL,;(h) returns true. We now show 
that such an A exists in {1...n — 1}. The code that finds h is executed only when 2 F# tmaz- 


Notice that NUM;(tmaz,” — 1) > 1 when i # inaz, hence FULL;(m — 1) = true. 


The initial values for the labels in BCTSS are: t; = nt; = 1"~1, 6; = (1...7), 0 = (¥-.-Vo), 


t; = (1"-1...1"-!), vo, = val; = v,, op; = NIL, and pe; = NIL. 


6 Invariants 
For use in the simulation proof we define the following invariants: 


Theorem 6.1 Jf b is a reachable state of BcTss then, for alli € {1...n}: 

I: Tot(b) = true. 

UW: Ift = beimaz then b.t; = b.nt;. 

IH: If b.tmar < b.nt; then there exists h € {1...n—1} such that b.nt; = NEXTLABEL(b.tmaz,/). 
IV: If b.nt; < b.tmaz then for anyhe€ {1...n—1}, if bt; La b.tmaz then b.nt; LS B.tman- 

V: Foranyhe {1...n—1}, ifb.nt; € CYCLE(D-tmar,h) then b.t; a ee 

VI: Foranyhe {1...n—1}, 


a: if b.nt; = NEXTLABEL(b.tmaz,h) then NUM;(0.tmaz,h-—1) > n—h. 


b: if b.tmaz(h] # 1 then NUM(b.tmaz,h—1) > n-h+l1. 


I, II, and III are used in the simulation proof. We use an induction argument to show that 
all reachable states of BCTSS satisfy these invariants. The purpose of invariants IV - VI is to 
strengthen the induction hypothesis enough so that I can be proven. The only action that can 
cause invariant I to be violated is SNAP; when op; = LABEL,. Specifically, we must show that 
the new nt; picked by NEWLABEL; does not introduce any cycles in the < order of the t-labels 
and nt-labels. Since the NEWLABEL; code can examine the all of the t-labels, the code can 


be written to avoid any cycles involving nt; and the t-labels. However, the NEWLABEL; code 
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cannot examine the local nt-labels of the other processes. In order to show that cycles that 
include nt; and nt-labels are avoided, invariants IV and V are used to limit the possible values 
of the nt-labels based on the corresponding t-labels. 

For example invariant IV implies that nt; LS t; when t; 4 tmaz for all nt; < tmar- If 
nt; is in the cycle at level A, in other words nt,{[h] € {3,4,5}, then invariant V states that 
nt; — t;. Now assume that NEWLABEL; picks nt; = NEXTLABEL(tmaz,/). Then the code for 
NEWLABEL,, using the function FULL;, limits the number number of t-labels that are AS! teas 
and consequently the number of t-labels that are —. nt;. Now invariant V can be used to limit 
the number of nt-labels that could, by being in the cycle at level h, cause a cycle to occur with 
the new nt;. 

Invariant III gives information about the structure of nt-labels that are > tmar. This 
information is used to determine how the new nt; is ordered with respect to any nt-labels that 
are > tmaz-. Finally invariant VIb is used to prove invariant V, and invariant Vla is used to 
prove VIb. If a new label nt; is picked in the cycle at level A then it must be that tya,[h] 4 1; 
hence VIb applies. VIb says that NUM(tmaz,2-— 1) > n—h+1. The code for NEWLABEL; 
insures that NUMi(tmac, 2 —1)<n—h+1. Thus it must be the case that t; ha} tmar- Lhis is 
precisely what is required to prove invariant V. 


The proof of Theorem 6.1 uses induction. It depends on a series of lemmas, one for the 


initial state and one for each action in the inductive step. 
Lemma 6.2 The initial state b of BCTSS, satisfies invariants I - VI. 
Proof: This follows from the fact that .t; = b.nt; = 1"°~} for all i,j € {1...n}. 7 


Lemma 6.3 Let } be a state of Bcrss that satisfies I - VI. If (b,7,b') is a step of BCTSS 
where m € {BEGINSCAN,, ENDSCAN,( 6x, 0%), BEGINLABEL;(val,), ENDLABEL,} for any k, then b' 


satisfies I - VI. 


Proof: None of the t-labels or nt-labels change as a result of 7. This suffices to show that 0b’ 


satisfies I - VI. a 


Lemma 6.4 Let b be a state of BCTSS satisfying I - VI. If (b, UPDATEx((tx, Vi), (ntz, val;)), ) 


is a step of BCTSS for any k, then b’ satisfies I - VI. 
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Proof: The proof is divided into a series of claims. By invariant I for state 6, b.t4, and 
b.imaz are defined. We split the argument into two cases: k = b.imaz and k # b.imaz. Consider 


k = beimar first. 
Claim 6.4.1 If k = b.imar, then b' satisfies I- VI. 


Proof: By invariant II for state b, b.t, = b.nt;. Thus, none of the t-labels or nt-labels change 


for BcTSsS. This suffices to show that b’ satisfies I - VI. a 
So assume that k # b.ima, for the remainder of the proof. 
Claim 6.4.2 If k # beimaz then I is true in b’. 


Proof: Assume for a contradiction that TOT(b’) = false. Since TOT(b) = true and t, is the 
only label that changes, the choice vector whose values are not totally ordered must include 
b’.t,. Now consider the same choice vector except that we substitute b’.nt, for b’.t,. Since 
b'.t, = 6’.nt,, this new choice vector’s values are also not totally ordered. Since none of the 
labels in this new choice vector change as a result of the action, the same choice vector must 
not have had its values totally ordered in state b. However this contradicts the assumption that 


TOT(b) = true. a 


Having proved invariant I we now know that b’.i,,,, and 6’.t,,4; are defined. The proof for 
II - VI is subdivided into the following two cases: b.nt, < b.tmaz and b.lmar < b.nt,. Assume 


first that b.nt, < b-tmaz- 


Claim 6.4.3 If k 4 beimaz and b.nty < b.tmaz then b'tmaz = O-tmar and D'imar = D-imar OF 


ie ee 8 


Proof: Let z = binar, then b.t, = b.-tmaz and z # k. We show first that 6’.t; < 6.t, for all z. 
First consider i # k. Since t, is the only label that changes, b’.t; = 6.t;. Therefore, the fact that 
b.t; < b.t, implies that 6’.t; < 6.t,. Now let i = k. As a result of the action, b’.t; = b.nt;. By 
assumption b.nt; < b.t,, so b’.t; < b.t,. Since z # k, t, does not change, so we can conclude that 
b’.nt; < b’.t, for all i. This implies that b'.t, = b'.tma,-. The following identity now establishes 


the first part of the claim: b.tma, = b.t, = b'.t, = 0! -tmae- 
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Let S = {i|b.t; = b.tmac} and S’ = {i|b'.t; = b'.tmaz} Then, b.imar = MAX(S) and b!tmar = 
MAX(S’). Since t, is the only t-label that changes and 0.tmaz = b.tmaz, S’ = S or S’ = S— {k} 
or S‘'= SU{k}. When S’ = S then MAx(S’) = MAX(S). Let z= b.inac. Since k # b.tmar, the 
definition of b.i;ng, shows that z € S and k < z when k € §. Consequently, when S’ = S — {k} 
then MAx(S’) = MAx(S). Finally, when S’ = SU {k} then MAx(S’) = MAX(S) or MAX(S") = k. 


This shows that b' tmaz = D-imaz OF OD! -imar = k. a 


Claim 6.4.4 If k # beimar and b.nty < b.tmar then NUM(0'.tmar,h) > NUM(b.tmaz,h) and 


NUM,(0'.tmar,h) > NUM;(b.tmaz,) for all i and h. 


Proof: The Claim follows immediately if we show that AGREE(b!.tmar,h) D AGREE().tmaz, h). 
Suppose i € AGREE(b.tmar,h). If i # k, then since t; does not change and, by Claim 6.4.3, 
tmaz does not change, i € AGREE(b'.tmar,h). Now consider i = k. By definition of AGREB, 
b.t, % b.tmar- Since b.nt; < b.tmac, IV for state b implies that b.nt; 4 b.tmaz- AS a result of the 
action 6/.t; = b.nt;, so b’.t; a b.tmaz- This fact along with the fact that ta, does not change 


implies that 2 € AGREE(b!.tmaz, h). a 
Claim 6.4.5 [fk # bina, and b.nty < 0.tmaz then b' satisfies IT - VI. 


Proof: We proceed with a case analysis. Consider any i € {1...n} and he€ {1...n— 1}. 


II: Suppose i = 6'.2,,,,. By Lemma 6.4.3, 1 = k or 2 = b.imaz. First consider i = k. As a direct 
consequence of the action, 6’.t; = b'.nt;. Now consider i = 6'.i;,4, where i # k. In this 


case II holds for 6’ since t; and nt; do not change, and II holds for 6. 
Ili: UI holds for 6’ since tmaz and nt; do not change, and [II holds for 6. 


IV: First consider 2 = k. As a consequence of the action b’.t; = b'.nt;. Hence, 0'.t; Le b' Qtraz 
implies that b’.nt; 4 6’ .tmaz for all h. Now consider i # k. Since IV holds in state b, and 


tmaz, t; and nt; do not change, IV holds for state 0’. 


V: First consider i = k. b'.nt; € CYCLE(b’.ty,42,) and the definition of CYCLE imply that 
b! nt; — b' .tmaz. As a consequence of the action, 6’.t; = b’.nt;. Hence, b'.t; *S) Ol tna: 
Now consider i # k. In this case V is true in b’ since t,;, nt; , and tma, do not change and 


V is true in b. 
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VI: Since nt; and tng, do not change, b/.nt; = NEXTLABEL(0'.tmaz,) implies that b.nt; = 
NEXTLABEL(b.tmaz,h), and b'.tmaz([h] # 1 implies that b.tmaz[h] # 1. By Claim 6.4.4, 
NUM(0'.tmar,h) > NUM(B.tmar, 2) and NUM;,(0'.tmaz,h) > NUM;(b.tmaz,h). Hence, VI holds 


for state b’ since it holds for state b. 


Claim 6.4.5 shows that II - VI hold when b.nt, < b.tm,z- For the remainder of the proof 


assume that b.tyaz < b.nt,. 
Claim 6.4.6 If k # beimae and b.tmaz < b.nt, then b!.tmaz = 0'.ty and b! amar = k. 


Proof: We proceed by showing that 6’.t; < b'.t, for all i 4 k. From the definition of t,42 and 
the assumption that b.tmar < b.nt,, we know that b.t; < b.tmar < b.nty. Let z = bimay then 
b.t, = btmae and z # k. Since k # z,k # i, and b.t, = b.tpmaz, there exists a choice vector 
that includes the values 0.t;,0.tmaz, and b.nt,. Since TOT(b) = true, the values in this choice 
vector are totally ordered. Hence, b.t; < 0.tmay < b.nt, implies that 6.t; < b.nt,. As a result of 
the action b.nt, = 6’.t, and t; does not change. Therefore, 6.t; < b.nt, implies that b’.t; ~ 0'.t,. 


Hence 0! tar = b’.t,. Since k is the only process index for which 0’.tma, = 0'.t;, 0’ imar = kK. 
The following Claim lists some of the properties of b’.tmaz- 
Claim 6.4.7 If k # bvimaz and b.tmaz < b.nt, then there exists h’ € {1...n —1} such that: 
LO bag = Oty = bonty = Ont), = NEXTUABEL (bt e;R’): 
2. 'tmaz[h] = 1 for all h > h’. 
8. For alli, b!.nt; x b' .tmar implies that b'.nt; = b'.tmar- 
4. There erists noi # k such that b'.t; a b tras: 


5. NUM(0'.tmar,h) > NUM(B.tmar,h) and NUM;(0'.tmac,h) > NUM,(D.tmar,h) for alli and all 
hie h’. 


Proof: By invariant III for state b and the assumption that b.t,,g, < b.nt,, we conclude that 


b.nt, = NEXTLABEL(6.tmaz,h’) for h’ € {1...n—1}. Fix h’. 
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1: By Claim 6.4.6 b’.tmar = 6'.t,. The fact that b’.t, = b’.nt, = b.nt, is a direct con- 
sequence of the action UPDATE, ((tz, Uz), (tz, val,)). Finally, we have already shown that 
b.nt, = NEXTLABEL(O.tmaz, h’). 

2: This follows directly from the definition of NEXTLABEL. 

3: Suppose that b’.nt; 7 b' tmar- First consider i # k. The fact that nt; does not change and 
part 1 of the claim show that b.nt; = 6'.nt; x b tmac = NEXTLABEL(b.tmar,h’). Consequently, 
b.nt; os NEXTLABEL().tmaz, hh’). Now the definition of NEXTLABEL implies that 6.nt; SS bias 
and b.nt;{h'] = NEXT(b.tmaz(h’]). Thus b.tmac < b.nt;. Now III for state 6 implies that 
b.nt; = NEXTLABEL().tmaz,2) for some h € {1...n — 1}. Since b.nt,;[h’] = NEXT(b-tmaz[h']), 
h=h’. Hence, b'.nt; = b.nt; = NEXTLABEL(b.tmaz,h’) = b'-tmaz. Now consider i = k. In this 
case BD! .tmaz = 6'.nt, by part 1 of the claim. 

4: We proceed by contradiction. Assume that there exists i # k such that b’.t; ad B tmar- 
Since t; does not change as a result of the action, 6.t; = b’.t; is b' .tmaz = NEXTLABEL().tmaz, fh’). 
Consequently, 0.t; e NEXTLABEL(0.tmaz, fh’). Now the definition of NEXTLABEL implies that 
b.t; pi b.tmar and 6.t;[h’] = NEXT().tmaz[h’]). Thus b.tyaz < b.t;. This contradicts the defini- 
tion of b-tmaz- 

5: Let h < h’. Part 5 of the Claim follows immediately if we show that AGREE('.tmaz,h) D 
AGREE(6.tmaz,). Suppose i € AGREE(b.tmar,h). If i 4 k, then t; does not change. By part 1 of 
claim and the definition of NEXTLABEL, 0’ .tmaz 4 b.tmaz. Now the definition of AGREE implies 
that 7 € AGREE(0'.tmaz,h). Now consider i = k. Part 1 of the claim shows that b'.t; = 0'.tmaz- 


Hence 7 € AGREE(6'.tmaz, hr). Z 


The remainder of the proof is structured as a series of claims, one for each of the five 
remaining invariants. Fix h’ to be the h’ defined by Claim 6.4.7. Parts 1-5 of Claim 6.4.7 will 


be used throughout the remaining claims. 
Claim 6.4.8 If k Z beimar and b.tmar < b.nt, then IT is true in b’. 
Proof: By Claim 6.4.6 6'.2,,,4. = k. Part 1 of Claim 6.4.7 shows that 0’.t, = b’.nt,. | 


Claim 6.4.9 [fk # beimar and b.tmaz < b.nt, then IIT is true in 6’. 
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Proof: Consider any i such that b'.tmaz < b'.nt;. By part 1 of Claim 6.4.7, 6’ tmaz = b’.nt, 
80 b'.tmaz ~< 5'.nt; implies that i 4 k. Furthermore, nt; does not change as a result of the 
action and part 1 of Claim 6.4.7 shows that b’.tmar = b.nt,. Hence b’.tmaz < b’.nt; implies 
that b.nt, < b.nt;. By assumption b.tmar < b.nt,, SO b.tmaz < b.nt, < b.nt;. Now consider 
two cases, 7 = biima, and 1 # Bima. When i = b.imgr, invariant II shows that b.tmar = b.nt;. 
This implies that b.nt; < b.nt, < 6b.nt; which is impossible by Lemma 5.1. Therefore, it must 
be that ¢ # Bima, Since b-imaz # i and b.imar # & there must exist a choice vector that 
includes the values 0.t,,42,b.nt,, and b.nt;. Since TOT(b) = true, the values in this choice vector 
are totally ordered. Hence, b.ty,a, < 6.nt, < b.nt; implies that 0.tmaz < 6.nt;. Now III for 
state 6 and the fact that nt; does not change show that b’.nt; = NEXTLABEL(0.tmaz,h) for some 
h é€ {1...n— 1}. Since b'.nt; = NEXTLABEL(b.tmar,h), b!tmar = NEXTLABEL().tmaz,/’), and 
D'.tmar < b’.nt;, it must be that h < h’. Hence b’.nt; = NEXTLABEL(0'.tmaz,h), which directly 


implies that I holds for state 0’. a 
Claim 6.4.10 If k # bing, and b.tmaz < b.nt, then IV is true in 0’. 


Proof: Let b.’nt; < b'.tmaz. First consider i = k. By part 1 of Lemma 6.4.7, b/.nt, = 0! -tmar, 


which directly implies IV. Now consider i # k and any h: 


h<h': Part 1 of Claim 6.4.7 and the definition of NEXTLABEL show that 0’.tmaz zc b.tmaz When 
h < h’. Now consider two cases: b.nt; < 6.tmaz and b.nt; £ b-tmar. When b.nt; < b.tmaz, 
IV for state b shows that b.t; 4 b.tmaz implies that b.nt; & b.tmacz. Now IV is true in 0’ since 
t; and nt; do not change and 0'.tmaz 4 b.tmarc- Now consider the case b.nt; £ b.tmaz. By 
Lemma 5.1, b.tmaz < b.nt;. Now III for state 6 shows that b.nt; = NEXTLABEL(b.tmaz, hi) 
for some A; € {1...n—1}. Furthermore, Since nt; does not change, the assumption that 
b’.nt; < 6'tmar implies that b.nt; < b'.tmar. Finally, part 1 of Claim 6.4.7 shows that 
b'.tmar = NEXTLABEL().tmaz,h'). Using these facts and the definition of NEXTLABEL we 
can conclude that h; > h’. Therefore, b.nt; 4 b' tmaz- Since nt; does not change, this 


implies that b/.nt; 2 b'.tmaz- This suffices to show that IV is true in 0’. 


h > h’: Part 4 of Claim 6.4.7 shows that 0’.t; + b'.tmar- Hence, IV is vacuously true in 0’. 
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Claim 6.4.11 [fk # beinar and b.tmar < b.nt, then V is true in 0’. 


Proof: Suppose b!.nt; € CYCLE()’.tmaz,) for some i and h. The definition of CYCLE implies 


that b/.nt; hE! yy -Lmaz- We consider two cases: 


h <h’: First consider i # k. Part 1 of Claim 6.4.7 and the definition of NEXTLABEL show that 
Ot sm b.tmar. Thus, V is true in 6’ since t; and nt; do not change, CYCLE(0! tmaz, )) 
depends only on 0’.tmaz[1...h — 1], and V is true in b. Now let 1 = k. In this case, part 
1 of Claim 6.4.7 shows that 6’.t; = 6’ .tmez- This suffices to show V. 


h>h': Since 0'.nt; —. b'.tmar and h > h’, it follows that 6’.nt; ye b’ .tmac- Thus part 3 of 
Claim 6.4.7 implies that b’.nt; = b'.t;,a2- By part 2 of Claim 6.4.7, 6’tmar{h] = 1. Thus 
b'.nt;[h] = 1, which implies that b’.nt; ¢ CYCLE(b'.tmaz,). This contradicts our original 


assumption that b’.nt; € CYCLE(b'.tmaz,h). Therefore this case cannot arise. 


Claim 6.4.12 If k Z beimar and b.tmaz < b.nt, then VIb is true in b’. 


Proof: Assume that 0’ .tmaz[h] # 1. We proceed with a case analysis: 


h<h’: Part 1 of Claim 6.4.7 and the definition of NEXTLABEL show that 0'.tmgz 7 b.tmax- 
Thus 6'.tmaz[h] # 1 implies that b-tmaz[h] # 1. Since b.tmar{h] # 1 and VIb is true 
for b, NUM(b.tmaz,2 —1) > n-—h+1. By part 5 of Claim 6.4.7 NUM(0'.tmar, — 1) > 
NUM(O.tmaz, — 1). Thus, NUM(0'.tmaz,h — 1) > n—h+1 which implies that VIb is true 
for b’. 


h=h' and b.tmaz(h] # 1: Since b.ty42[h] # 1 and VIb is true for b, NUM(b.tmar,h—-1) > n—h41. 
By part 5 of Claim 6.4.7 NUM(U’tmaz,2—1) > NUM(b.tmar,2—1). Thus, NUM(b'tmar, h—- 
1) > n—h+1 which implies that VIb is true for 6’. 


h=h’' and b.tmac{h] = 1: Part 1 of Claim 6.4.7 and the fact that h’ = h imply that b.nt, = 
NEXTLABEL(b.tmaz,). Since b.nt, = NEXTLABEL().tmaz,) and Via is true for state 
b, NUM;(0.tmar,h — 1) > n—h. By part 5 of Claim 6.4.7 NUM,(8'-tmaz,h — 1) > 
NUMg(6.tmaz, — 1). Thus, NUM;(b'.tmaz,h -1) > n—h. Since Otmar = bth, bE 
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AGREE(B!.tmaz,). Therefore NUM(b’.tmar,— 1) > NUMg(8'tmaz,h-—1) >n—h. Thus, 


NUM(0' tar, — 1) > n—h+1, which implies that VIb is true for 6’. 


h > h’: Part 2 of Claim 6.4.7 and the fact that h > h' imply that 0’.t,,4,[h] = 1. This contradicts 


the assumption that b’.t;,4:[h] # 1. Therefore, this case cannot arise. 


Claim 6.4.13 If k Z bing, and b.tmaz < b.nt, then Via is true in b’. 


Proof: Let b!.nt; = NEXTLABEL()'.tmaz,h) for some h and i. We proceed with a case analysis: 


h<h': Part 1 of Claim 6.4.7 and the definition of NEXTLABEL show that 0'.ty,47 4 b.tmaz. Now 
the fact that nt; does not change and the fact that b!.nt; = NEXTLABEL(0'.tya,,h) imply 
that b.nt; = NEXTLABEL().tmaz,h). Since b.nt; = NEXTLABEL(6.tmaz,) and VIa is true in 
state b, NUMi(b.tmaz,4—1) > n—h. Part 5 of Claim 6.4.7 shows that NUM;(8'.tmac, h—1) > 
NUM; (b.tmaz,2 — 1). Therefore, NUM;(8'tmaz, — 1) > n —h which implies that Vla is 


true for 0’. 


h=h’'": Using part 1 of Claim 6.4.7 and the definition of NEXTLABEL we can conclude that 
b’.tmaz{h] = NEXT(0.tmar[h]). There exists no z € A such that NExT(z) = 1. Hence 
6! .tmaz[h] # 1. Claim 6.4.13 implies that VIb holds for state b’. Since b!.tmaz[h] # 1, VIb 
for state b' implies that NUM(O'.tmaz,2—1) >n—h+1. Thus NUM,(0’.tmaz,k-1)>n—h 


and Via is true in state b’. 


h>h': The fact that b’.nt; = NEXTLABEL()’.tmae,h) and the definition of NEXTLABEL imply 
that 5’ .nt; i. b’.tmar- Now part 3 of Claim 6.4.7 and the fact that h > h’ imply that 
b'.nt; = b'.tmaz- Thus b!.nt; A NEXTLABEL(0'.tmaz,h) which contradicts our assumption 


that b'.nt; = NEXTLABEL(O'.tmar,f). Therefore, this case cannot arise. 


We now complete the proof of the lemma. To show that Db’ satisfies I - VI we consider two 


cases: k = b.tyaz and k # b.t,,42. Claim 6.4.1 shows that 6’ satisfies I- VI when k = b.tmaz- 


“Actually, this case cannot arise. However, the argument that proves that the case cannot arise is more 
complicated that the argument that proves that Vla is satisfied if the case does arise. 
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When k # b.t,,4, Claim 6.4.2 shows that invariant I holds in state b’. The proof for invariants 
II - VI is subdivided into two cases: b.nty < b.tmaz and b.tmaz < b.nt,. Claim 6.4.5 shows 
that II - VI hold when b.nt, < b.tmaz. Claim 6.4.8, Claim 6.4.9, Claim 6.4.10, Claim 6.4.11, 
Claim 6.4.12 and Claim 6.4.13 each consider one of the invariants to show that II - VI hold 


when b.tmaz < b.nty. | 


Lemma 6.5 Let b be a state of BCTSS that satisfies I- VI. If (b, SNAP; (ty, 0), 5’) is a step of 
BCTss for any k, then b’ satisfies I - VI. 


Proof: Note that none of the t-labels or nt-labels change when op, = SCAN,;. Therefore, 
assume that op, = LABEL,;. The proof is divided into s series of claims. First consider the case 


where k = biimar- 
Claim 6.5.14 If k = b.ima, then b’ satisfies I - VI. 


Proof: The definition of SNAP;(t,, 0) for BCTSS shows that no labels change. This suffices 


to show that 0’ satisfies I - VI. z 


So assume that k # b.tma2 for the remainder of the proof of the lemma. By definition of 
NEWLABEL,, b!.nt, = NEXTLABEL().tmar,h’) for some h’ € {1...n—1}. Fix h’. Note, by 


definition of NEXTLABEL, O.tma, < b’.nt,. 
Claim 6.5.15 If k # bvimas then NUM,;(B.tmar, hb’) = NUM,z(0-tmar, 2h’ —- 1) =n—h’. 


Proof: By definition of NEWLABEL;, FULL;(h’) returns true in state b, so NUM: (b.tmaz, h’) > 
n — h’. Moreover, FULL;,(h’ — 1) returns false in state b, therefore NUM; (b.tmaz,h’ — 1) < 
n—(h'—1). But by definition, NUM,(O-tmaz,’—1) > NUM, (b.tmar, 2’) SO NUMg(b.-tmar, h’-1) = 


NUM,(0.tmaz,h’) = n—h’. B 
Claim 6.5.16 If k # b.imas then I is true in b’. 


Proof: For acontradiction assume that TOT(b’) = false. Then there must exist a choice vector 
C’ whose values are not totally ordered. By Lemma 5.2, there exists b’.¢;,6'.£;,6'£, € C such 
that b/0; "=" 61.4; "=" b.4, and {b'.6[A], b/.4,[h], b'.£,[A]} = {3,4,5} for some h € {1...n— 1}. 


36 


Since 6’.¢;,6'.€; and b’.£, are elements of a choice vector, 6’; € {b’.t;, b’.nt;}, b'£; € {b'.t;, 
b'.nt;}, b'.€, € {b'.t,, b’ nt,} andi#z,j #2z,j 47%. By I for state b, TOT(b) = true. Therefore 
the values of C for state 6 must be totally ordered. The only label that changes as a result of 
the action is nt,. Consequently, we can assume without loss of generality that b’.€, = 6'.nt, 
and z = k. Furthermore, since i # k and j # k, @; and ¢; do not change as a result of the 


action. Thus, 6.¢; = b’.£; and b.€; = b’.£;. Now we can conclude that: 
b.0;"=" b.¢;"=' b'.nt, and {b.0;{h], 6.¢;[h], 6’. nt,[h]} = {3, 4, 5}. (1) 


Recall that b!.nt, = NEXTLABEL(b.tmaz,h’). We will now show that h = h’. Let z = b.tmaz, 
then b.t, = O¥.tmaz. Since k # beimar, k # z. The definition of NEXTLABEL implies that 
b.t, i b’.nt,. For a contradiction assume that h < h’. Now substitute b.t, for b’.nt, in 
Equation 1 to conclude that 6.0; "= 6.6; "=! 6.t, and {b.£;[h], 6.2;[A], 6.t,[h]} = {3,4,5}. By 
Lemma 5.2 any set of labels containing b.¢;,6.€;, and b.t, is not totally ordered. We now show 
that i # z and 7 # z since this will allow us to conclude that there exists a choice vector 
that includes 6.¢;,0.€;, and 6.t,. Since {b.0;[h], b-£;[h], b.t,[h]} = {3,4,5}, and 6.4; € {b.t;, b.nt,} 
either 6.t;[h] # 6.t,[h] or b.nt;[h] 4 5.t,[h]. If i = z the former is clearly impossible and the 
later is impossible since b.nt, = 6.t, by invariant II. Thus i # z. The same argument shows 
that 7 # z. Now we have a choice vector for state b whose values are not totally ordered. The 
existence of such a choice vector contradicts invariant I for state b. Thus h ¢ h’. The definition 
of NEXTLABEL implies that 6’.nt,[h”] = 1 for all h” > h’. Since b’.nt,{[h] € {3,4,5}, h # hi’. 
Nowh{h'andh Ph’ soh=h’. 

We now construct a set of labels which is not totally ordered and which includes b.tmaz 
and b'.nt,. First show that b.tmaz[h’] € {3,4,5}. Since b’.nt,[h’] € {3,4,5}, the definition of 
NEXTLABEL implies that b.toz(h’] € {2,3,4,5}. We proceed by showing that b.tmaz[h’] 4 2. 
In order to reach a contradiction we assume that b.tmar[h'] = 2. Since b-tmaz on b' nt, 
and b'.nt; pe b.l;, D-tmar = 6.£;. Furthermore, b.tmaz[h'] = 2 and 6.£;[h’] € {3,4,5} thus 
b.tmaz[h'] <4 6.£;[h’]. Consequently, b.tmaz < 6.£;. We consider the cases 6.f; = 6.t; and 6.¢; = 
b.nt; separately. When 6.0; = b.t;, b.tmaz < 6.t;, which contradicts the definition of b.tmaz. Thus, 
this case cannot arise. When 0.2; = 0.nt;, b.tmaz < b.nt;. Now invariant III and the definition 
of NEXTLABEL imply that b.nt,{h’] = b.tmaz[h’] or b.nt;[h'] = NEXT(b-tmaz[h']) or b.nt,[h’] = 
1. Thus, when 6.tmaz(h’] = 2, b.nt,[h’] ¢ {4,5}. Therefore we can conclude that 6.¢,[h’] ¢ 
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{4,5} when b.tmaz[h’] = 2. Using the same argument we can show that b.¢;[h’] ¢ {4,5} when 
b.tmar[h’| = 2. This contradicts Equation 1 according to which {b.2,{h’], .€;[h’], b’.nt,[h']} = 
{3,4, 5}. Thus b.tmaz[h’] # 2 and b.tmaz{h’] € {3, 4, 5}. 

Since {b.é;[h’], b.€;[h’], b’.nt,[h’]} = {3,4,5}, using the definition of <,, we can assume 
without loss of generality that: 


b.0;[h'] <4 b.£;[h'] <4 b'.nty[h'] and 6.2,[h'] £4 b! nt, [h']. (2) 


Recall that z = b.iyaz, 6.t, = b.tmar, b.t, nt b'.nt,, and 6.t,[h'] <4 6'.nt,[h’]. Hence, we can 


replace 6.¢; by .t;az in Equation 1 and Equation 2 which yields the following: 


b.0; © b.tmar & b'.nt, and {b.0,{h],b.tmaz{h], 6’.nt,[h]} = (3,4, 5}, (3) 

b.£;[h'] <4 btmar[h'] <4 b'.nty[h'] and b.0;{h'] 44 b'.nt,[h']. (4) 
Consequently, 

bf; < b.tmar < b'.nt, and b.¢;  b'.nt,, (5) 

10:5 O-tinays Dey G CYCLE(Otiaey hf’). (6) 


Consider the cases 6.£; = b.nt; and b.€; = b.t; separately: 


b.nt;: Since b.nt; € CYCLE(8.tmaz,h’), V for state 6 shows that b.t; nh b.tmaz» By Claim 6.5.15 
NUM,(B.tmaz, h’ — 1) = NUM,(b.tmazr,h’). Therefore, since i # k, 6.t; a b.tmaz implies 
that b.t; e b.tmaz. Now, from IV for state b and the fact that b.nt; ~ 0.tmez, it follows that 


b.nt; a b.tmaz, a contradiction to Equation 4 according to which b.nt;[h’] <4 b.tmac{h’]. 


b.t;: By Claim 6.5.15, NUM,(b.tmar,h’ — 1) = NUM,z(8.tmaz,h’). Therefore, since i # k, D.t; ae 
b.tmaz implies that 6.t; is b.tmaz. Now, 0.t; ua b.tmar contradicts Equation 4 according to 


which b.t;[h'] <4 b.tmaz[h’]. 


We have reached a contradiction in each case. Consequently, there exists no choice vector such 


that its values are not totally ordered. Hence, TOT(b’) = true. a 


Claim 6.5.17 If k # b.i,,4, then IT - VI are true in b’. 
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Proof: VIb holds in state 6’ since it holds in state 6 and no t-labels change. Now consider 
Il - Vla. If 2 # k, then the definition of SNAP;(t;, 0) shows that neither t;, nt;, tmar, nor 
NUM,(tmaz,) change. Therefore, II - Vla are true in state 6’ since II - Va are true in state b. 
So assume that 7 = k. In this case b’.nt; = NEXTLABEL(b.tmaz,h’) and 0'.tmaz < 6’.nt;. Consider 


II - Vla separately: 


II: Since k # Bitmar, 2 # O-tmar. Furthermore, beimar = b!-imaz thus 1 # 6'.tymaz. Now II is 


vacuously true in state b’. 
IH: Since b!.thar = b-tmaz, and b'.nt; = NEXTLABEL().tmar, h’), b'.nt; = NEXTLABEL()’.tmac, h’). 
IV: Since 6'tmaz = 0.tmaz < 0'.nt; TV is vacuously true in 6’. 


V: Suppose that b’.nt; € CYCLE()'.tmar,h) where h € {1...n—1}. The definition of CYCLE 
now implies that b’.nt;[h] € {3,4,5}. Recall that b’.nt; = NEXTLABEL(6.t,,47,h’). The 
definition of NEXTLABEL implies that 6’.nt;[h”] = 1 for all h” > h’. Since b’.nt;[h] € 
{3,4,5}, we can conclude that h < h’. We consider the two cases h = h’ and h < h' 


separately. 


First consider the case h = h’. Since NEXT(1) ¢ {3,4,5}, and NEXT(btmaz{h]) = 
b'.nt;[h] € {3,4,5}, b-tmaz[h] 4 1. Now VIb for state 6 shows that NUM(b-tmaz,h — 1) > 
n—h+1. Furthermore, Claim 6.5.15 and the fact that i = k show that NUM;(8.tmar,h-1) < 
n—h+1. Since NUM(O.tmaz,h — 1) > n-A+1 and NUM,(0-tmaz,h -1)< n-h+1, 
k EAGREE(b.tmar,h — 1). Thus b.t; "=! b.tmar. Since t; and tmaz do not change, 6'.t; "= 
Dita: 

Now consider the case h < h'. The fact that b’.nt; = NEXTLABEL().tmaz,h’) and the 
definition of NEXTLABEL imply that b.tmaz[h] = 6’.nt;[h]. Therefore, b.tmar[h] 4 1 since 
b.tmar[h] = b'.nt;[h] € {3,4,5}. Now VIb for state b shows that NUM(b.tmaz,h - 1) > n- 
h+1. The definition of NEWLABEL; and the fact that i = k show that ruLL;(h—1) returns 
false, which implies that NUM;(b-tmaz,h—-1) < n—h+1. Since NUM(b.tmaz,h-1) > n—h+1 
and NUM,(D.tmaz, — 1) <n—h+1, i € AGREE(b.tmar,—1). Thus b.t; "=" b-tmar- Since 


t; and tar do not change, b’.t; i. ies Ae 
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Via: Since 8'.tmar = 4.tmae and b’.nt; = NEXTLABEL(b.tmar,h’), we conclude that b’.nt; = 


NEXTLABEL(0'.tmaz,’). Now, Claim 6.5.15 implies that NUM;(6'.tmaz,h’ —-1)=n-—h’. 


We can now complete the proof of the lemma. Claim 6.5.14 shows that I - VI hold for 0’ 
when k = bvimaz. When k # b.imar, Claim 6.5.16 shows that I holds in b’ and Claim 6.5.17 
shows that II - VI hold for 0’. = 


Proof: (For Theorem 6.1) We proceed by induction on the length of the execution end- 
ing in the reachable state 6. The base case is established by Lemma 6.2. The induction 
step is a case analysis based on the action 7, where (b’,7,6”) is a step in the execution. If 
m € {BEGINSCAN,, ENDSCAN;(0,, 0), BEGINLABEL,(val,), ENDLABEL, }, the induction step fol- 
lows from Lemma 6.3. If 7 = UPDATE,((tz, ve), (nt,, val,)), the induction step follows from 


Lemma 6.4. If 7 = SNAP; (t,, 0), the induction step follows from Lemma 6.5. a 


7 Simulation Proof 


In this section we prove that BCTSS solves CTsS. Specifically, we use Theorem 2.1 to show that 
fairbehs(BCTSS) C fairbehs(ucTss). This implies that BCTss implements ucTss. Recall that 
we have already shown that ucTss solves cTsS. In order to use Theorem 2.1, we define the 


relation R between the states of BCTSS and the states of ucTsS as follows: 


Definition 7.1 (relation r) If bis a state of BCTss and u is a state of UCTSS then (b,u) ER 


iff for all i,j € {1...n}, af 7: 
1. b.0; = U.0;. 


2. b.t; ~< b.t; iff ut; < ud, 
b.nt; ~ b.t; iff unt; < ut, 
b.t; < b.nt; iff u.t; < u.nt;, 


b.nt; < b.nt; iff unt; < unt. 


3. b.v; = U.v;. 
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4. b.val; = u.val;. 
5. b.0; = u.d;. 
6. b.op; = u.op;. 
7. b.pe; = u.pe;. 

a 


Parts 1 and 5 ensure that a process p; returns the same response to a SCAN, request in 
BCTSS and in ucTsS. Recall that 6; contains the order of the labels that was last observed by 
p;. Part 2 states that the < ordering of any choice vector from BCTSS is the same as the < 
ordering of the corresponding labels from UCTSs. Notice that part 2 gives no information about 
the relation between t; and nt;. Parts 3 and 5 ensure that BCTss and UCTSS associate values 
with labels in the same manner. Part 6 ensures that UCTSS and BCTSS will execute the same 
part of the SNAP; action code. Finally, part 7 ensures that ucTss and sBcTss will be able to 
execute the corresponding action during each state transition. 

The following lemma proves that the first of the three assumptions required by Theorem 2.1 


is true. 


Lemma 7.1 For the initial state 6 of BCTSS, there exists an inttial state u of UCTSS such that 


(b,u) ER. 


Proof: In the initial states 6 of BcTSs and u of UCTSS, 6; = (1...n) forall i € {1...n}. Hence 
part 1 of R is satisfied. Part 2 is satisfied since t; = nt; for all i,7 € {1...n} in both BcTss and 
ucTss. Parts 3—5 are satisfied since 0; = (0...0) and v; = val; = 0 for alli € {1...n} in both 
BCTSS and UcCTSS. Parts 6 and 7 of R is satisfied for the initial states since op; = pc; = NIL in 


both systems. a 


The following lemma shows that the mapping R is preserved by all of the actions of BCTss. 


This lemma proves that the second of the three assumptions required by Theorem 2.1 is true. 


Lemma 7.2 Let b be a reachable state of BCTSS and u be a reachable state of UCTSS such that 
(b,u) € Rr. If (b,7,b’) is a step of BCTSS then, there exists u' such that (u,7,u') is a step of 


ucTss and (b',u') € R. 


41 


Proof: We proceed by case analysis on 7. 
Case 7 € {BEGINSCAN,;, ENDSCAN;(0,, 0%), ENDLABEL, }: 


Since (b,u) € R, we can conclude that b.pc, = u.pcz, 6.0, = u.o,, and 6.0%, = u.v,. Hence, 
m is enabled in u. Let u’ be the unique state of ucTss such that (u,7,w’) is a step of UCTSS. 
In both BcTss and uctTss only op, and pc, change as a result of x. Inspection of the code in 


Figure 1 shows that 6’.op, = u’.op, and b'.pc, = u'.pc,. This suffices to shows that (b’,u’) € R. 
Case: 7 = BEGINLABEL,;(val;): 


Since BEGINLABEL,(val,) is an input action, it is clearly enabled in state u. Let wu’ be 
the unique state of ucTss such that (u,7, wu’) is a step of ucTss. Only val;, op,, and pc, 
change as a result of the action. By definition of the action b’.val, = u’.val,. Furthermore 
b'.op, = w'.op, = LABEL, and b'.pe, = u'.pe, = SNAP;(ty, 0%). This suffices to shows that 


(b',u’) ER. 
Case 7 = SNAP;(ty, 0) when b.op, = SCAN: 


Since (b,u) € R, b.pe, = u.pez. Hence, m is enabled in u. Furthermore u.op, = b.op, = 
SCAN,. Let u’ be the unique state such that (u, 7, u’) is a step of UCTSS. 

SNAP;(ty, d;), When op, = SCAN,, determines 6, based on the < ordering. Recall that < is 
a lexicographical order defined by the order between the t-labels, using < for BCTSs and < for 
ucTss, and the order between the process indices. By assumption (b,u) € R. This implies that 
b.t; < b.t; iff u.t; < u.t; for all i,7 € {1...n}; thus SNAP;,(t,, 0) will produce the same ordering 
for BCTSs and ucTSS. Hence b’.6, = u’.o,. Furthermore, part 3 of R implies that b’.o, = u’.v,. 
Figure 1 shows b’.pc, = u!.pc, = ENDSCAN,(0,, 0%). Only 6,, 0, and pe, change as a result of 


the action and thus we can conclude that (b’,u’) € R. 
Case t = SNAP;(t,, 0%) when b.op, = LABEL,: 


Since (b,u) € R, b.pc, = u.pce,. Hence, x is enabled in wu. Furthermore u.op, = b.op,y = 
LABEL,. There are two case: k = b.imaz and k # dima. 

We first consider the case k = b.imar. Since (b,u) € R, part 2 of R implies that b.imar = 
U.imac. Hence, k = u.imar. Let u’ be the unique state such that (u,7,u’) is a step of UCTSs. 


Now the definition of NEWLABEL; for BCTSS and UCTss shows that only pc, changes for both 
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BCTss and uctss. Figure 1 shows b!.pc, = u'.pe, = UPDATE, ((tz, v4), (nty, val,)). This suffices 
to show that (b’,u’) € R. 

So assume that k # b.tmaz for the remainder of the proof of this case. Since (b, u) € R, part 
2 of R implies that b.tmar = U-lmaz- Hence, k # U.imar. In this case there are many states wu’ 
such that (u, 7, u’) is a step of UCTSS; these states differ only by the value of u’.nt,. We now 
define a particular value u’.nt, and hence a particular state w’. 

Define S = {i|¢ £ k and b.taz < b.nt;}. Let z = beimar, then b.t, = b.tmar. Invariant H 
shows that b.nt, = b.t,. Hence, b.nt, = b.tmar. This implies that z ¢ S. Thus, b-imar ¢ S. For 
all i € S, III for state b shows that b.nt; = NEXTLABEL(b.tmaz,h;) for some h; € {1...n— 1}. 
Furthermore, the definition of NEWLABEL; implies that ’.nt, = NEXTLABEL(b.tmaz, x) for 


some h, € {1...n—1}. Define: 

S, = {i]ie Shi > he}, So={ilie S,h;= hy} and S3= {tlie S,hi< he}. (7) 
Note that: 

SiN Se = $.NS3=5:NS3=9 and 5,US,US3=S. (8) 


Since ~< is a lexicographical order, the order between any two labels in BCcTssS is determined by 
the first digit at which they differ. Therefore, for any 27; € 51, 72 € So, and iz € Sz, it is the 


case that: 
b.tmar ~< b.nt;, ~< b.nt;, = b' nt, < b.nt;,. (9) 


Recall z = 6.t,,4,- Thus, b.t, < b.nt;, < b.nt;, = b'.nt, ~ b.nt;,. Since z ¢ S and (b,u) € R, 
part 2 of R now shows that u.t, < u.nt;, < u.nt;, < u.ntj,. Since b-imar = U-lmar, Z = U-lmar 


and u.t, = U.tmar- This shows that: 
Utmar < u.nt;, < unt; < u.nt;,. (10) 


We use the following rules for picking u’.nt,. If Sy #0, then u’.nt, = u.nt; for any i € So. If 
on the other hand S, = @, define u.ntmg, and u.ntmin as follows: u.ntmar = max(u.nt,|7 € S,) 
if S$, # @, otherwise u.ntnar = Ulmaz- U-Ntmin = min(u.nt;|i € S3) if Ss # 0, otherwise 
U.Ntmin = 00. Choose any u’.nt, such that u.ntmear < ul.nt,y < Uu.ntmin. For any 7; € S,,%2 € So, 


and iz € S3, the two rules and Equation 10 imply that: 
Utmar < unt, < unt, = ul.nt, < u.nt;,. (11) 
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With both rules for choosing u’.nt;, U.tmar < u’.nt,. Hence, there exists an X € R7° such that 
uw nt, = Ulmer + X- 

We now show that (b’,u’) € rR. Only nt, and pce, change as a result of the action. Figure 1 
shows b’.pc, = u’.pc, = UPDATE ,((ty, vg), (nt,, val,)). Consequently, (b’, u’) € R if we can show 
that part 2 of R holds for states 6’ and u’. For part 2 of the relation there are four cases to 


consider. All other cases do not involve b’.nt,. Let i € {1...n} andi # k: 


1. b’.nt, ~ 0.4; iff ul.nt, < u'.t;, 
b!.t; <b! nt, iff ult; < ul nt;: 
Since no t-labels change, 0!.tmar = 0.tmaz and b'tmar = O-imar- Recall that k # d.tmas, 
hence 6'.nt, = NEXTLABEL().tmar,h,) and 0 tmar = O-tmaz < 5'.nt, as a result of the 
action. Furthermore, b’.t; = 0.t;. Therefore, 6'.t; < b'.tmar < b'.nt,. Let z = 6! imaz. In 
this case z # k and bt, = b'tyaz. Sincei # ky z # k and bt, = b' tar, there exists 
a choice vector that includes 0’.t;,b’tmar, and 6’.nt,. By invariant I the values of this 
choice vector are totally ordered by <. Therefore, 6’.t; < 0'.tmae < b’.nt;, implies that 


b’.t; < b! nt. 


Similarly, since k # teimer, U tmar = Utmaz < u’.nt, as a result of the action. Further- 


more, u’.t; = u.t;. Therefore u’.t; < wu’tmae < u’.nt,. This implies that u’.t; < u'.nt,. 


2. b' nt; < b! nt, iff ul nt; < ul .nt,, 


b’.nt, < b'.nt; iff ul nt, < ulnt;: 


We can divide the nt-labels of UCTSS into two disjoint sets: Recall that S = {j|7 # k and 
b.tmar < b.nt;}. Define T = {j|7 # k and b.tmar > b.nt;}. Similarly, define S, = {j|7 #k 
and U.tmar < u.nt;}. Define T, = {j|7 # k and u.tmaz > u.nt;}. By part 2 of R and the 
fact that (b,u) € Rr, S = S, and T = T,. Consider i € T and 7 € S separately. 


Suppose 7 € T. Since i # k, b'.nt; = b.nt;. Therefore b/.nt; < 6'tmar < 6'.nt,. Let 
z= D'.ijngz- In this case z # k and b'.t, = b'.tmae. Since i # k, z # k and b'.t, = b'tmas, 
there exists a choice vector that includes b!.nt;,6'.tmaz, and 6’.nt,. By invariant I the 
values of this choice vector are totally ordered by <. Therefore, b’.nt; < 0'.tmaz < 0’.nt, 


implies that b’.nt; < b’.nt,. Similarly, u’.nt; = u.nt;, since i # k. Therefore, u’.nt; < 


U tmar < u’.nt,. This implies that u’.nt; < u’.nt,. 
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Now suppose 7 € S. Consider any 7; € 5), 72 € So, and i3 € S3 where 5, S2, S3 are defined 
by Equation 7. Since k ¢ S, b’.nt; = b.nt; and u’.nt; = u.nt; for all 7 € S. Consequently 
Equation 9 and Equation 11 show that b.-tmar < O'.nt;, < b'.nti, = b'.nt, ~< b'.nti, 
and U.tmaz < u’.nt;, < u’.nt;, = wnt, < u'.nt;,. Using these facts we now consider 
the following cases: 1 € S,, 7 € Sj, andi € Ss. If i € S,, then b’.nt; < b’.nt, and 
unt; < unt. If i € So, then b'.nt; = b'.nt, and w/.nt; = u’.nt,. If 7 € 53, then 


b’ nt, < b'.nt; and u’.nt, < u'.nt;. 


Case 7 = UPDATE, ((tz, vg), (nty, val;)): 


Since (b,u) € R, b.pc, = u.pc,. Hence, m is enabled in u. Let u’ be the unique state such 
that (u,7,u’) is a step of UCTSS. 

Only v,, t, and pe, change as a result of the action. Since (b,u) € R, part 4 of R shows 
that b.val, = u.val,. Thus, b’.o, = u’.v,. Figure 1 shows 6’.pc, = u’.pe, = ENDLABEL,. 
Consequently, (0’, u’) € R if we can show that part 2 of R holds for states b’ and u’. For part 2 
of R there are four cases to consider. All other cases are immediate since they do not involve 


t,, and since t, is the only label that changes as a result of the action. Let i € {1...n} and 
af ke 
1. 0'.t, ~ b'.t; iff ult, < wu’ tj: 


Since (b,u) € R and ¢, is the only label that changes, b.nt, ~ 0'.t; iff unt, < u'.t;. Asa 


result of the action, b’.t, = b.nt, and u’.t, = u.nt,. Hence 6'.t, ~ b’.t; iff u’.t, < ult. 


2. b'.t; < b'.t, iff ut; < u’ th, 
b/ nt; ~< b'.t, iff u’ nt; < u’.te, 


b!.t, ~ Ont; iff ult, < ul nt;: 


For all three statements, the reasoning is similar to that of case 1. 


We can now conclude that BCTss correctly implements the properties of CTss. 


Theorem 7.3 BCTSS solves CTSS. 
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Proof: By definition of BcTss and uCTSS, sig(BCTSS) = sig(UCTSS) and part(BCTSS) = 
part(ucTss). Lemma 7.1, and Lemma 7.2 show that BcTss and UCTSS satisfy the first two 
conditions of Theorem 2.1. For the third condition note that action x is enabled in ucTss if 
and only if z is enabled in BcTss. Consequently, Theorem 2.1 shows that fairbehs(BCTSS) C 
fairbehs(ucTss). Thus BCTSS implements uUCTSS. Since UCTSS solves CTSS, BCTSS solves CTSS. 


8 Applications 


This section discusses two applications of a CTss in the area of waitfree algorithms. Specifi- 
cally, we discuss multireader multiwriter atomic registers and first-come-first-serve (fcfs) mutual 
exclusion®. Both of these problems are solved by very simple algorithms based on a cTss. Us- 
ing our bounded cTss, these problems have a simple bounded solution. For both problems 
we present an algorithm based on a cTss along with a correctness proof for the algorithm. 
In the correctness proof, we assume nothing about the cTss except that it satisfies the CTSs 
specification of Section 3. 

l-exclusion (see [13, 14]) and randomized consensus (see [4, 8, 27, 2]) are also important 
problems that have simple cTss based solutions. J-exclusion seeks to limit the number of 
processes concurrently executing a section of code called the critical section to 1. Mutual 
exclusion is the same as /-exclusion when | = 1. Randomized consensus provides a random 
algorithm by which a set of asynchronous processes can agree on a common value. A consensus 
algorithm is consider valid if all processes agree on value a whenever a was the input originally 
given to all processes. Finally a consensus algorithm must guarantee that each process will 
terminate in a finite number of steps with probability 1 even if other processes exhibit stopping 
failures. Shavit [37] presents an algorithm based on a cTss along with a correctness proof 
for both the /-exclusion and randomized consensus problems. In the correctness proofs, he 
assumes nothing about the CTss except that it satisfies axioms PO-P3 of the CTSS specification 


of Section 3. 


®The algorithms for fcfs mutual exclusion and multireader multiwriter registers presented in this paper are 
based on similar algorithms presented in [37]. We discuss the algorithms since [37] does not prove their correctness. 
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8.1 Multireader Multiwriter Atomic Registers 


This section presents a simple bounded algorithm for solving the famous problem of construct- 
ing a multireader multiwriter atomic register, MRMW, from single writer multireader atomic 
registers (see [33, 17, 36]). Informally, the read and write operations of a multireader mul- 
tiwriter atomic register are separated into a request (input) action and a response (output) 
action, concurrent operations executions are allowed, and every request eventually terminates 
in a matching response, in such a way as to produce the illusion of instantaneous operations. 

The algorithm in Figure 6 is a version (due to Li and Vitanyi [25]) of the elegant and simple 
unbounded Vitanyi-Awerbuch algorithm [34]. The original solution is based on an unbounded 
construction that behaves in a manner similar a cTss. We replace this construction by the 
LABEL and SCAN operations of the CTSS specification’. 

The code for the operations of MRMW is presented in two forms. Figure 7 presents the code 
in the precondition-effect notation commonly used to describe I/O Automata. Figure 6 uses 
psuedocode. We use the precondition-effect notation as the basis for the correctness proof and 
include the compact and intuitive psuedocode only for clarity. The only shared variables of 
MRMW are those of the ctss. The local variables 6; and 0; contain the results of the SCAN; 
operation. Recall that the n** process index in the array 6; contains the process index of the 


process currently associated with the “largest” label in the => ordering of LABEL operations. 


READ; 
SCAN, (t;, 0) 
return (v;,,,,) Where maz = 0;, 


WRITE,(val;) 
LABEL, (val, ) 


Figure 6: Psuedocode for MRMW. 


In terms of the I/O Automata model, MRMwW is an I/O Automaton with an operational 
interface. MRMW is the composition of n I/O Automata {p,...p,} and any I/O Automa- 


ton solving CTss for n concurrent operations. The actions BEGINSCAN;, ENDSCAN;(6;, %;), 


°[37] erroneously claims that the Vitanyi-Awerbuch algorithm [34] can be implement using a CTss that only 
satisfies axioms PO-P3. 


47 


Shared State: 


The shared state of the cTss with initial values given by Figure 1. 


Local State: 


The local state of the CTss with initial values given by Figure 1. 


val;: The value written by WRITE;; initially v,. 

Vimar: Lhe value returned by READ,; initially v,. 

o;: An array of values returned by SCAN;; initially (v,...v 0). 

6;: An array of process indexes returned by SCAN,; initially (1...n). 


READ;: BEGINREAD; Eff: 
BEGINSCAN;, Pre: 
Eff: 


ENDSCAN,(06;,0;) Eff: 


Eff: 


WRITE;: BEGINWRITE;(val;) Eff: 


Eff: 


ENDREAD,(v,,,,.) Pre: 


BEGINLABEL,(val;) Pre: 


Eff: 
ENDLABEL,; Eff: 
ENDWRITE; Pre: 


PC; 


Pc 
PC; 


PCG; 


PC; 
pe; 


pe; 


pe; 
Pc 


; — ENDWRITE; 


; = ENDWRITE; 
; — NIL; 


“— BEGINSCAN;, 


= BEGINSCAN; 
<— NIL 


+ ENDREAD,;(v;,,,,) where maz = 0;, 


= ENDREAD,(2,,,,, ) 
<— NIL 


+ BEGINLABEL,(val;) 


= BEGINLABEL,(val;) 
<— NIL 


Figure 7: Precondition-Effect code for MRMW. 
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BEGINLABEL;(val,;), and ENDLABEL, are the means by which p; and the I/O Automaton solving 
CTSS communicate. These actions are hidden in MRMW. Each p; is an I/O Automaton with 
an operational interface. The operation types of p; are READ;, WRITE,;, SCAN;, and LABEL,. 
The operation type READ; consists of the input action BEGINREAD,; and the output action 
ENDREAD,(2j,,,,). The operation type WRITE; consists of the input action BEGINWRITE;(val;) 
and the output action ENDWRITE,. The operation type SCAN; consists of the output action 
BEGINSCAN; and the input action ENDSCAN,(6;, 0;). The operation type LABEL; consists of the 
output action BEGINLABEL,(val;) and the input action ENDLABEL,;. There are no internal ac- 
tions for p;. The set states(p;) is the set of all possible states of p; where each state is defined by 
the values of the variables of the shared and local state. The set starts(p;) is the set consisting 
of the state defined by the initial values of the variables of the shared and local state. The set 
steps(p;) is characterized by the precondition clause in each action. The set part(p;) consists of 
the equivalence class C; where C; consists of BEGINSCAN;, ENDREAD,(1j,,,, ), BEGINLABEL,(val;), 
and ENDWRITE;. 

We introduce the following notation: In any schedule 8, where beh(Z) € fairbehs(MRMW) 
and beh(3) is well-formed and response-live, denote the a‘* execution of WRITE; by Ww, and 
the at execution of READ; by R*), Since each WRITE operation results in exactly one LABEL 
operation and each READ operation results in exactly one SCAN operation, L's and sf) are the 
the LABEL; operation of W;'*) and the scAN; operation of R!*) respectively. Define 2(i,a) = 0;, 
for operation RE, Intuitively, z(2,a) is the index of the process that wrote the value returned 
by RE, Let c be a choice function for 8 as characterized by PO-P4 of Section 3. Define 
r(i,a) = c(i,a,2(t,a)) for operation RI", Intuitively, r(i,a) is the execution number of the 
WRITE operation that wrote the value returned by RJ"), Since MRMW has an operational 
interface and beh() is well-formed and response-live, Definition 2.8 gives a partial order —> 
on all READ and WRITE operations of 3. By inspection of the code in Figure 7, the projection 
of @ onto the actions in ersig(CTss), 3., yields a well-formed and response-live behavior, where 
B. € behs(CTSs). Consequently, Definition 2.8 gives a partial order —>’ on all SCAN and LABEL 
operations of 3. Note that W,!@] — RY implies that L{*) — sh However L!*! —/ he does 
not imply w," — RY. 


An atomic multireader multiwriter register is characterized by the following serial specifi- 
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cation $ [23],[28]: 


Definition 8.1 (serial specification 5) Let s be a sequence of READ and WRITE operations. 
Then s € S, if every READ operation returns the value written by the WRITE operation that 
immediately precedes the READ operation in s. If no such WRITE operation exists, the READ 


operation returns the initial value v,. a 


In order to prove that the MRMw is an atomic multireader multiwriter register, we must show 
that MRMw is well-formed-preserving and response-live. Furthermore, we must show that for 
every well-formed and response-live behavior 3, where 8 € fairbehs(MRMW), there exists an 


order => such that (see Definition 2.10): 
1. => is a total order on all READ and WRITE operations that is consistent with —. 


2. If s is the sequence of READ and WRITE operations ordered by =, then s € S of Defini- 


tion 8.1. 


Consider any schedule @ where beh(Z) € fairbehs(MRMW) and beh(@) is well-formed and 
response-live. Define order =>’ and choice function c for 3, as characterized by PO-P4. We 
construct => in several steps. 

Notice that each WRITE operation includes a LABEL operation from the underlying cTss. 
By P1 the LABEL operations are totally ordered by =>’ in a manner that is consistent with 


the partial order —+’. Now define => as follows: 
[a] (] [a] (6) 
W; —— W; iff L; =>’ L; . 


Note that => so far is only defined on the WRITE operations. Now extend => to include the 


READ operations. 


Insert R{*! in => such that RI! is between WG: and the wRITE operation that 


«(#,a) 
immediately succeeds W":9)] ; 


ria) in =>. If r(t,a) = 0 then let RY precedes the first 


WRITE operation. 


Now => orders each READ operation with respect to every WRITE operation. However, => 
is not yet a total order. READ operations are ordered amongst themselves only if they are 


transitively ordered by a WRITE operation. Let R be any set of READ operations that are 
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ordered between two WRITE operations that are consecutive in the => order. Now extend => 
such that the elements of R are totally ordered in a manner that is consistent with —>. Repeat 
this procedure for each set of READ operations that are ordered between two WRITE operations 
that are consecutive in the => order. Finally, extend => for the READ operations that are 
ordered before any WRITE operations in a manner that is consistent with —>. Now => isa 
total order. Specifically, => is irreflexive, antisymmetric, transitive and total. We now show 


that => is consistent with —. 
Lemma 8.1 For any i,j € {1...n}, if wl => wl then wi -f- wi. 


Proof: Since W/*] => wl, the construction of => shows that L!*! =’ Be, Now Pla 
implies that Lo ~' L!")_ Consequently w +s wll, a 


Lemma 8.2 For any i,j € {1...n}, if Ri = wi then wi S- RE. 
Proof: We consider the cases b = c(i,a,j), 6 < c(i,a,7), and b > c(i, a,7) separately. 


b = c(i,a,j): There are two cases to consider: 7 = z(i,a) and j # x(i,a). When 7 = 2(i,a), 
then by construction of the =>’ order, c(i, a,7) = r(i,@) and wi => RE, This contra- 
dicts the assumption that RY => wi), so this case cannot arise. Now consider the case 
j # x(i,a). Assume that r(i,a) > 0. Since R/*] —> wi, the construction of the => 
order implies that wie = Rl — w. Consequently, re) — i, Now, Pib 
implies that ssl finds x(t,a) < 7 in 6;. However, by definition of z(i,a) no such 7 exists. 
Therefore, this case cannot arise. Now consider the case 7 # 2(i,a) when r(i,a) = 0. 
Since b 4 0, P1b implies that gia finds x(i,a) < j in 6;. However, by definition of z(i, a) 


no such j exists. Therefore, this case cannot arise. 


b < c(i,a,j): In the previous case we proved that wee) => RI". Since b < c(i,a,3), 
it must be the case that L!! —’ L624), Now, Pla shows that LP! =»! Lie, 
Consequently, the construction of the => order implies wi => wees Vm» Riel, 


which contradicts the assumption that Ri => wf. Therefore, this case cannot arise. 


b > c(i,a,7): We proceed by showing that De 4! sil, In order to reach a contradiction, 


assume that i —' sil, Assume also that c(i,a,j) > 0. Since 6 > c(i,a,7), it follows 


ol 


that pp) —' Bel, Thus Low — Ag —’ $l"), which is impossible by P2. 
Therefore ie >! gi, Furthermore, if c(t, a, 7) = 0, P2 directly show that ae >! si, 
Since Lf ~+' §!"), we conclude that wi +> RE, 


Lemma 8.3 For any i,j € {1...n}, if wf = RS then Rf! f+ wi". 
Proof: We consider the cases 6 = c(i,a,7), b < c(i,a,j), and b > c(i, a,7) separately. 
b = c(i,a,j): P2 implies that $/*] 4 ies This shows directly that Ri) 4 wh 


b < c(i,a,j): P2 implies that $!” +! Deore, Since 6 < c(t, a, 7), i —! pee Conse- 
quently, sf +! i), This shows directly that R{! 4’ wl 


b > c(i,a,j): We proceed by showing that sisi +! Lm In order to reach a contradiction, 
assume that $/*) —’ Lie Assume that r(i,a) > 0. Now P4 implies that ie) =e has 
By construction of the => order, this implies that R/*) => wl, If r(z,a) = 0, the 
construction of the => order shows that RI? => wi, However, the fact that RY => 
ws contradicts that assumption that wi => RE. Consequently, sf SH! Le This 


shows immediately that RJ?) 4 wi, 


Lemma 8.4 For any i,j € {1...n}, FRIIS Re then Re > RY, 


Proof: We consider two cases. First consider the case where there does not exist wt such 
that Rf => wt => RM. In this case the construction of the => order immediately shows 
that Ri + RE! when RI) = Re. For the second case assume that there exists W" such 
that RI = wi! = RP. The right-most wi is given by k = 2(j,6) and d = r(j,b). Now 


define k’ = x(i,a) and d’ = r(z,a) assuming that r(i,a) > 0. Consequently, 
Wi) — Ri! => wi! = RM. (12) 


In order to reach a contradiction, we assume that RY — RE", Consider Equation 12. By 


definition of z and r, he ! sees vf, and 5!” sees vf] We now wish to show that c(i,a,k) # 


o2 


d. To reach a contradiction assume that c(i,a,k) = d. Since sf sees yl4 and yf) and 


k’ = a(t, a), S!°! finds k < k! in 0;. Now P1b shows that LI =>" raven By definition of = 
this implies that wit => wi), which contradicts Equation 12. Thus c(i,a,k) #4 d. 

By assumption Re — R!*), thus sf —' $!). Since Oe sees vf 5 !") sees pla and 
c(i,a,k) 4 d, P3 now shows that d < c(i,a,k). This implies that Lit =! Lee Thus, by 


definition of => it follows that: 
wit = wire, (13) 


Next we show that weal = RP", If not, the construction of the => order and the facts 
that k’ = x(i,a) and d’ = r(i,a) imply that WJ] = RE => wi’! Consequently, 
LE => [ol Then, P1b implies that S$! finds k! = a(t,a) < k in 6;. However, by 
definition of z(i,a), no such k exists. Therefore wear = RI), This fact along with 
Equation 13 and the fact that => is transitive implies that w4 = RP, Thus we have a 
contradiction to Equation 12. 

Finally, consider the case where r(i,a) = 0. As in the previous case, Rf = wit => Re 
where wt is given by k = 2(j,b) and d = r(j,6). Since r(i,a) = 0, the definition of r(7,a) 
and P1b imply that c(i,a,z) = 0 for all z € {1...n}. In order to reach a contradiction 
assume that Rf —+ R*!, This implies that sf — + $!*!, Furthermore since c(i,a,*) = 0 and 
d= r(j,b) > 0, c(i,a,k) # r(j, 6). Now P3 shows that r(j, b) < c(t,a,k), which contradicts the 
fact that c(i,a,k) =0 and d=r(j,b) > 0. a 


We now show that the READ and WRITE operations ordered by the => order form a sequence 


permitted by the serial specification S of Definition 8.1. 


Lemma 8.5 Let s be the sequence of READ and WRITE operations of 8 ordered by the => 


order. Thens€ S. 


Proof: There are two cases: r(i,a) > 0 and r(i,a) = 0. When r(i,a) > 0 the definition of => 


implies that RY is immediately preceded by Wreol  where r(i,a) = c(t,a, x(t,a)). Now, PO 


x(i,a) 
shows that v,;,,,,, = walla) When r(i, a) = 0, the definition of => implies that R{*) precedes 


x(i,a) 


all WRITE operations. Also, PO shows that w;_.,.) = cL = v,. Noting that Rf returns 


Vi...) completes the proof. a 
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Finally, we prove that MRMwW is well-formed-preserving and response-live. 


Lemma 8.6 MRMW is well-formed-preserving and response-live. 


Proof: Notice, by inspecting the precondition clauses in the code of Figure 7, that for equiv- 
alence class C; of part(MRMW), there is always at most one action enabled. Furthermore each 
action remains enabled until it is executed. Consequently, the actions must be executed in the 
sequence in which they are enabled. Furthermore, in a fair execution each enabled action will 
eventually be executed. 

Now consider any fair execution whose behavior has a well-formed-input. Since CTSss is 
well-formed-preserving and response-live, inspection of the precondition-effects code in Figure 7 
shows that the following sequence of actions are executed in response to a BEGINREAD, input ac- 
tion: BEGINSCAN,;, ENDSCAN,(6;, 0;), and ENDREAD;(%,,,, )- In response to a BEGIN WRITE, (val;) 
input action, the following sequence of actions is executed: BEGINLABEL,(val,;), ENDLABEL,, and 
ENDWRITE;. Finally, no actions of C; are enabled between the execution of a ENDREAD,(tj;,,,.) 
or ENDWRITE, action and the next execution of a BEGINREAD,; or a BEGINWRITE;(val;) ac- 
tion. Inspection of these action sequences and the definitions of well-formed-preserving and 


response-live, immediately show that MRMW is well-formed-preserving and response-live. = 


We can now conclude that MRMw, if it uses our bounded cTss construction, is a bounded 


atomic multireader multiwriter register. 


Lemma 8.7 MRMW is an atomic register satisfying serialization specification S. 


Proof: By Lemma 8.6, MRMwW is well-formed-preserving and response-live. Now consider 
any behavior ( € fairbehs(MRMW) that has a well-formed-input. Since MRMW is well-formed- 
preserving and response-live, 3 is well-formed and response-live. Consider the order => on the 
operations in ( defined in the preceding discussion. Lemma 8.5 shows that the order satisfies 
the serial specification 5. Lemma 8.1, Lemma 8.2, Lemma 8.3, and Lemma 8.4 show that => 


is consistent with partial order —. a 
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8.2 Mutual Exclusion 


The mutual exclusion problem, originally due to Dijkstra [10], is stated informally as follows 
(a more formal treatment that also introduces fault tolerance issues, can be found in [22])?°. 
A system of n asynchronous processes communicate via shared memory consisting of single 
writer multireader atomic registers. The program of every process consists of two distinguished 
sections: a remainder section and a critical section. Processes alternate between executing the 
remainder and the critical section. The fundamental goal of the mutual exclusion algorithm 
is to limit the number of processes concurrently executing the critical section to 1. To solve 
the mutual exclusion problem, one is required to design trying and ezit program sections to be 
performed before and after executing the critical section respectively. The trying section coor- 
dinates the entry into the critical section. In our algorithm the trying section has a subsection 
called the doorway section. This section is the first part of the trying section and is waitfree. 
The behavior of a mutual exclusion algorithm is characterized as follows (in order to simplify 


the discussion, this section uses a slightly less formal approach than the previous sections): 


Mutual Exclusion: In any reachable state, no two process are executing the critical section. 


Deadlock Freedom: In any reachable state, if there exists some process that is in the trying 
section, then there exist a process that is in the critical section or a process that will 


eventually enter the critical section. 


Lockout Freedom: 


1. In any execution, if there is no process that is forever executing the critical section, 


any process executing the trying section will eventually execute the critical section. 


2. In any reachable state, if there is some process in the exit section, then some process 


will eventually enter the remainder section. 
The fairness property of lockout freedom is strengthened in the following way. 


First Come First Serve: If process p; finishes executing the doorway section before process p; 


begins executing the doorway section, then p; executes the critical section before p; does. 


°Many solutions to the problem have been proposed over the years. (See (31].) 
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The psuedocode version of our mutual exclusion algorithm is presented in Figure 8. The 
algorithm is a simplified version of Lamport’s Bakery Algorithm [19]. Our notation uses 
BEGINLABEL,() and ENDLABEL, instead of just LABEL;() in order to clearly indicate what the 
atomic actions are. The reason for using BEGINSCAN; and ENDSCAN;, instead of SCAN; is the 
same. Lines 1 — 8 represent the trying section and line 10 the exit section. The doorway 
section consists of lines 1 — 4. In addition to the shared variables associated with the CTss, 
each processes, p;, has a shared variable called z; which is implemented as a single writer mul- 
tireader atomic register. Process p; writes z; and all other processes read z;. The variable 
6; is a local variable that contains the result of the SCAN; operation of lines 6 and 7. Lines 
1,2,3,4,6,7,9, 10, and 11 each represent atomic actions. Since lines 5 and 8 read the shared 
atomic variables z; for 7 € {1...n}, lines 5 and 8 consist of one atomic action for each time 
a particular 2; is read. For every execution of lines 5 and 8 each z,, for j € {1...n}, is read 
once. The states of the Lamport-Bakery mutual exclusion algorithm are defined by the values 
of the variables associated with the cTss, the shared variables 2x; for all 7, as well as all local 
variables and the program counter, pc, of each process. 

Our correctness proof essentially follows the arguments given in [28] and [22]. The contribu- 
tion of our proof is that it is based on the cTss specification. We now introduce some notation 
that will be used in the correctness proof. Consider the state s in any execution. If process p; 
is not executing the LABEL; operation in state s, in other words pe; # 2 and pe; # 3, we define 
the function [(2,s) which is a function from the set of process indexes and the set of states to 
the set of execution numbers of the LABEL operations of the execution. s(7,s) is defined in a 


similar manner for the SCAN; operations. 


Definition 8.2 (function /) Consider an execution a. Let s be a state in a where pe; # 2 
and pe; # 3. Then, define /(7,s) to be the execution number of the LABEL; operation whose 


ENDLABEL, action was the last ENDLABEL; action executed in a before state s. | 


Definition 8.3 (function s) Consider an execution a. Let s be a state in a where pe; # 6 
and pe; # 7. Then, define s(z,s) to be the execution number of the scAN; operation whose 


ENDSCAN; action was the last ENDSCAN; action executed in a before state s. | 
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Intuitively, for a state s, LEG is the most recently executed LABEL; operation and ohGol 


is the most recently executed sCAN; operation. In order to simplify the presentation, we do 
not provide the argument for why p,; has pe; # 2 and pe; # 3 or pe; # 6 and pe; # 7 when 
discussing LEG or ool in cases where it is obvious. The order — is used to order states 


of an execution as well as the CTSs operation instances in the execution. 


Definition 8.4 (—> order) Let A, and A, be CTSS operation instances and s, and s, be 
occurrences of states in an execution a of the Lamport-Bakery mutual exclusion algorithm. 


Then: 


1. A, — Az iff the response action associated with A, occurs before the request action 


associated with Ag. 
2. A, — 8, iff the response action associated with A, occurs before s,. 
3. 5; —> A, iff the request action associated with A, occurs after 8. 
4, 8, — 8 iff s; occurs before s2. 


Note that —> provides a total order for the states and a partial order for the CTss operation 
instances. Now consider any execution a of the Lamport-Bakery mutual exclusion algorithm. 
We wish to show that the execution satisfies the four properties for mutual exclusion given 
above. Notice that the projection of the execution onto the external actions of CTSS, gives a 
behavior of crss that has a well-formed-input. Consequently, the projection of the execution 
onto the external actions of cCrss must satisfy axioms PO, P1, and P2"? of Section 3. Let => 
and c be an order and a choice function that satisfy PO, P1, and P2 for the projection of a 
onto the external actions of crss. Now consider the following lemma which will be used to 


prove the mutual exclusion property. 


Lemma 8.8 In any state s of the execution a, if p; is in the critical section and x; = T then 


[i(3,s)] (1G, s)] 
L; = L; e 


‘1 Axioms P3 and P4 are not needed for the Lamport-Bakery mutual exclusion algorithm. 
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repeat forever 
acl 
BEGINLABEL,;() 
ENDLABEL; 
«Ly T 
If 3j such that z; = L then goto L1 
BEGINSCAN; 
0; — ENDSCAN; 
If 3j such that 7 <7 in 6; and z; = T then goto [2 
critical section 
zy <— NIL 
remainder section 
end repeat 


1 
2 
3 
4 
5 
6 
7 
8 
9 
1 
1 


Figure 8: Psuedocode for Lamport-Bakery mutual exclusion algorithm 


Proof: Consider the first state in the execution a after the action in which p; reads 2; # L 
in line 5 for the last time before state s. Call this state s,. Since 2; # L, pe; # 2 and pe; # 3 


1G,8)] (1(3,)] 
2 w] 7 


in state s,. Hence we can now consider two cases: L — s, ands, — L 


LfGenl —+ 8,: Consider the last state in a before the action in which p,; considers p, for the 
last time in line 8 before state s. Call this state sy. Since p; enters the critical section, 
there are three cases to consider: i < j in 6; and z; = T,i < j in 6; and 2; # T, and 
j <tin 6; and 2; #4 T. We consider the last two cases together by showing that the case 


xz; #T cannot arise. 


t<jino; and 2; =T: In this case nen —+ s, — Sh%), therefore Lee — 


$¢"2]_ Furthermore, by definition of I(j, 3) there exists no Ae where b # I(j, s), such 


that pes — Ly — S%2)] Consequently, P2 shows that c(i, s(i, 2),j) = l(j, 8). 
The same argument shows that c(i, s(i,s2),7) = I(i,s). Since p; found 2 < j7 in 0, of 


$2], P1b shows that LEO a> Een, 


zt; # T: In this case 2; = NIL or z; = L. If x; = NIL, then since 2; = T in state s 


and s) —> s, p; must execute the LABEL; operation of lines 2 and 3 between s2 and s. 


Consequently s; — pel, which contradicts the assumption that feed —+ 8;. So, 


it must be that z; = L in state s. Recall that 2; # Z in s; and x; = T in s. Since 
$, —> $2 — 8, inspection of the code shows that p; must execute the LABEL; operation 
0,5) 
j ’ 


of lines 2 and 3 between s, and s. This implies that s; — L which contradicts the 
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assumption that Lie cd, omer 8,. Therefore this case cannot arise. 


1G.) G8] 
| 


$, — L{Oo', Since L{¢)] _, 5,, we can conclude that L — pa Now P1a implies 


that LS heel 


With this lemma, it is easy to show mutual exclusion. 


Lemma 8.9 In any state s of the execution a, if p; is in the critical section, then there exists 


no j #1 such that p; is in the critical section. 


Proof: We proceed by contradiction. Assume that there exists a state s such that p; and p; 
are in the critical section where i # j. Since p; and p; are in the critical section, z; = T and 
z; = T. Now Lemma 8.8 implies that Lf)! => piel and pe) = [GO By Pi, => 


is a total order, so we have a contradiction. a 


The following Lemma shows that Lamport-Bakery mutual exclusion algorithm satisfies the fcfs 


property. 


Lemma 8.10 Consider the execution a. Let s; be any state after p; executes the action on line 
3 but before p; is in the critical section for the first time after the execution of the action. Let 
8; be any state before p; executes the action on line 2 such that p; must execute line 2 before it 
enters the critical section for the first time after s;. Assume that s; —+ s;. Let s,, be the first 
state in which p; is in the critical section after s;. Let s,, be the first state in which p; is in the 


critical section after s;. Then s,, — 8,,. 
: J 


Proof: For a contradiction assume that s., —> s,,. In s,,, pj is in the critical section and 


UG, 805] 


. . t Ns Se. . 
x; = T. Hence Lemma 8.8 implies that i Wate” => L . However, since s; —> 8;, we 


know that pe a i Mi which by P1a is a contradiction. a 


Next we consider the deadlock freedom property of the Lamport-Bakery mutual exclusion al- 


gorithm. We consider the second part of the property first. 


Lemma 8.11 Suppose that process p; is in the exit section in state s of execution a. Then p; 


will eventually enter the remainder section. 
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Proof: The lemma follows immediately from the fact that the exit section, line 10, consists 


of a single waitfree action. a 


Lemma 8.12 If p; is in the trying section in state s; of execution a, then there exist some 
process that is in the critical section, or there exists some process that eventually enters the 


critical section. 


Proof: Let p; be in the trying section in s;. If there exist some process in the critical section 
in s;, then we are done. Therefore, assume that no such process exists. Let s., where s; —> ,, 
be the state in which the first processes is in the critical region after s;. Since the code of 
Figure 8 is waitfree, except for lines 5 and 8, p; will eventually reach line 5. Label this state in 
the execution as s,. Now let S be the set of processes that are in the trying section in state s,. 
If there are any processes in the exit section in state s;, Lemma 8.11 implies that there exists 
a state s., where s; —> sz, such that there are no processes in the exit section in state so. 

Let pp € {1l...n} —S. If 2, = T in any state between s. and s,, it must be that p, 
executes the LABEL; operation of lines 2 and 3 after the state s,. Furthermore p; last executes 
the LABEL; operation before state s; Hence Pla shows that for any state s between sz and s, 


where zr, = T: 
pie yp 9), (14) 


Consider any p; € S. If 2; = T, then plGeal is defined. If 2; = L, then piel may not 
be defined. Since lines 1 — 4 are waitfree, it will eventually be the case that 2; = T for all 
p; € S. Call this state s3. Now pte is defined for all p; € S. Consider p; € S$ such that 
pee => feral for all p, € S and k # j. By P1, => is a total order, hence p; exists. 
Since none of the processes in S$ pick a new label between s3 and s,, eae = Eee for 
allk 4 j,k € S, and s between s3 and s,. Furthermore, for all p, € {1...n}—S where 2, = T 
and s between s3 and s,, Lee = Lhe, This is a consequence of Equation 14 which 
shows that Li! —> Lf] and the definition of p; which shows that L!'G7! = pf, 

The process p,; will progress past line 5 unless there exists some process p, such that 2, = L. 
Eventually, it must be that 2, # LZ. Furthermore, z, #4 L at least until s,. Thus each 
process that is preventing p;’s process at line 5 will eventually have x, # L. At this point 


p; will advance to line 8. Process p; will advance to the critical section unless there exists 


60 


some processes p, such that x, = T and p; orders k < j in the o; returned by the SCAN; 
operation executed in lines 6 and 7 just prior to p; finding k < j in line 8. Since the SCAN; 
operation of lines 6 and 7 continues to be executed while there exists some processes p, such 
that c, = T and k < j in 6;, there must eventually be a state s between states s3 and s, such 
that D9 _, gh M, By definition of I(k,s) there exists no LI), where 6 # I(k,s), such 
that LE! _, ph _, geGell, Consequently P2 shows that c(j,s(j,s),k) = I(k,s). The 
same argument shows that c(j, s(j, 8), 7) = /(j, s). Since p; orders k < 7 in 6;, P1b shows that 
pkeol ERG, However, such a k cannot exist in state s since s is between the states 
$3 and s, and, for all states s’ between s3 and s,, ppee — pies for all k € S and all 


ke {1...n} — S where x, = T. Therefore, p; will eventually enter the critical section. rT] 


Finally, we consider the no lockout property. 


Lemma 8.13 Suppose in the state s; in execution a, p; is in the trying section. If there is no 
p;, such that p; is in the critical section for all states after some state s;, then p; will eventually 


enter the critical section. 


Proof: The first 4 lines of the trying section are waitfree. Therefore, p; will eventually com- 
plete these lines. Call the first state after line 4 completes s,. Let S be the set of processes 
p; for which it is possible that p; is in the critical section in some state which succeeds 3,, 
but proceeds the state in which p; enters the critical section. Clearly S C {1,...,n}— {¢}. 
Since p; is in the trying section Lemma 8.12 says that p; or some p; € S' will eventually enter 
the critical section. The proof is complete if p; enters the critical section, so assume that p, 
enters the critical section. After p; exits the critical section, p; must start executing line 2 after 
some state s;, where s; — s;, before p; enters the critical section a subsequent time. Now 
Lemma 8.10, shows that S = S — {j} after after p; exits the critical section. We repeat this 


argument until S = 9. Then Lemma 8.12 says that p; eventually enters the critical section. ™ 


9 Formal Justification for Use of Snapshot 


The purpose of this section is to formally justify the manner in which the snapshot operations 
SNAP and UPDATE of [1] are used in BCTSS and UCTSS. Specifically, we must justify the fact 


that we do not use separate actions for the invocation and response of each snapshot operation. 
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9.1 Theory 


In order to provide a strong theoretical foundation for the discussion, we extend some of the 
concepts introduced in Section 2. Most of the ideas in following discussion are taken from 
Goldman, Lynch and Yelick [15]. We present a simplified and less general version of their 
results. 

Goldman et al. introduce the concept of an environment, a process and an object. Intuitively, 
an environment refers to the user of a particular I/O Automaton. The I/O Automata model 
generally does not model the users of I/O Automata except to describe the situations in which 
a user is expected to issue input actions. A process is an I/O Automaton that performs an 
operation on behalf of the environment. Typically the interface between the environment and 
a process is described by a set of input actions that are used by the environment to request an 
operation and output actions that are used by the process to respond to an operation request. 
Finally, objects are 1/O Automata that model shared data types that provide a means for a set 
of processes to communicate. The following discussion formalizes these concepts. Note that we 


largely retain the notational conventions used in Section 2. 


Definition 9.1 (object I/O Automata) An object I/O Automaton, 0, which can be used 
by n process I/O Automata (see Definition 9.2) is an I/O Automaton with an operational 
interface which is characterized as follows. For each i € {1...n}, there exists a disjoint set of 
operation types ops;(o) C ops(ezsig(o)). For each operation type a; € ops;(o0), we denote the 


input actions by INVOKE,,,(a@;,v) and the output actions by RESPONSE, p,(ai,7). | 


As a shorthand for an object I/O Automaton we use the term object. The subscript 0, p; 
indicate that a process I/O Automaton denoted by p; will use this action to communicate with 
the object o when o and p; are composed. We now present a formal definition for a process I/O 


Automaton. 


Definition 9.2 (process I/O Automata) A process 1/O Automaton, p;, is an I/O Automa- 


ton with an operational interface which is comprised of two disjoint sets of operation types: 


e There are a set of operation types which describe the interface between the process and 
the environment. For any such operation type called a; we denote the input actions by 


INVOKEp,(a;,v) and the output actions by RESPONSE», (4a;, 7). 
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e There are a set of operation types which describe the interface between the process and 
an object?? denoted by o. For any such operation type called a; we denote the input 


actions'? by RESPONSE,,,,(a;,7) and the output actions by INVOKE,,),(4;, v). 


For the discussion that follows, let A be any I/O Automaton that is a composition of n pro- 
cesses {p,...p,} and one object o where the external actions of o are hidden. We now define 
various characteristics of schedules of A. These characteristics will be used in the definition of 
an I/O Automaton called an IR system. Let 6 be a schedule of A. Then (|p; is the projec- 
tion of @ onto all INVOKE,,(a;,v) and RESPONSE,,(a;,7) actions that constitute p;’s interface 
with the environment. Similarly, Blo, p; is the projection of 8 onto all INVOKE, »,(a;,v) and 
RESPONSE, »,(a;,7) actions that constitute p,’s interface with the object o. In order to insure 
that a process only issues requests to an object when that process is servicing a request from the 
environment, we introduce the concept of a process p; being active after a prefix of a particular 
schedule. Specifically, a process p; is active after a prefix 3’ of the schedule @ of A if the last 


action in (’|p; is an INVOKEp,(a;, v) action. 

Definition 9.3 (IR-well-formed) Let § be a schedule of A. We say £ is [R-well-formed if 
1. beh(8) is well-formed. 
2. Every INVOKE, ,(a;,v) action in Glo, p; occurs from a prefix of @ after which p; is active. 


3. Blo, p; consists of an alternating sequence of input and output actions of o, starting with 
an input action, such that each RESPONSE,,»,(a;,7) action is immediately preceded by an 


INVOKE, p,(a;, v) action. 


4. In § no actions of p; occur between any pair of corresponding INVOKE, »,(a;,v) and 


RESPONSE, »,(a;,7) actions. 
a 


2115] allows processes to have an interface to an arbitrary number of objects. For the sake of simplicity, we 
restrict attention to processes which have an interface to only one object. 

'SNotice that we have changed the notational convention for the process’ interface with the object. This arises 
from the fact that the input actions of the object must have the same name as the output actions of the process. 
In this way, the process can initiate operation instances on the object (see discussion of composition in Section 2). 
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Definition 9.4 (IR-well-formed-preserving) Let 3 be aschedule of A. ( is [R-well-formed- 
preserving if, for all prefixes 6’ of 3, where beh( 3’) has a well-formed-input, 9’ is IR-well-formed. 


We say that A is IR-well-formed-preserving if every schedule of A is IR-well-formed-preserving. 


Definition 9.5 (IR system) Let A be an I/O Automaton that is a composition of n pro- 
cesses, {p,...p,}, and one object, 0, where the external actions of o are hidden. A is an IR 


system iff: 
1. The object o of A is an atomic I/O Automaton that satisfies some specification S. 
2. A is IR-well-formed-preserving. 
3. A is response-live. 
a 


We now define an IRA system which is the same as an IR system except that it combines the 


INVOKEop,(@;, 7) and RESPONSE, »,(a;,7) actions into a single action called ATOMIC, p,(@;, 0,1). 


Definition 9.6 (IRA system) Let I = {1...n}. Let A be an IR system composed of n 
processes, {p, ...p,}, and an atomic object, o, satisfying specification S. Then the IRA system 
A’ that corresponds to A is defined as follows: 

e states( A’) = states( A) 

e start(A’) = start(A) 

e sig(A’) = (in(A), out(A), (int(A) — J {invokE,,»,(ai, v), RESPONSE, »,(@i,7)}) 

i€l 
U LJ{aromic,p,(a;, 0, 7)}. 
ie! 


e steps(A’) = the set of all steps (a, 7, a’) such that either: 


— w ¢ | {INVOKE,»,(a;,v), RESPONSE, »,(a;,7)} and (a,7, a”) € steps(A). 
ier 
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—weE | J{aTomic,»,(a;, v,7)} and there exists state a’ of A such that: 
ier 
(a, INVOKE, »,(a;,v), a’) € steps(A) and (a’, RESPONSE, »,(a;,7),@”) € steps(A), and, 
for any schedule # of A’, the projection of @ onto the set of all ATOMIC, »,(a;, , 7) 


actions must be an element of the sequential specification of the atomic object o. 


e part(A’) = part(A) except that the set of ATOMIC,,,(a;,v,7) actions, for all » and r, 


replace the set of INVOKE,,,(a;,v) actions for all v. 
| 


In the action signature we are replacing pair of actions INVOKE ,,(@;,U), RESPONSE, »,(4ai,7) 
by a single action ATOMIC, »,(a;,v,7) such that ATOMIC, »,(a;,v,7) can be executed in A’ for 
situations where the pair of actions INVOKE, »,(a;,V), RESPONSE, »,(a;,7) can be executed in 
A. The following significant theorem due to Goldman et al. [15] can be used to show that A’ 


implements A. 


Theorem 9.1 Let A be an IR system and A’ be the IRA system corresponding to A. If a is 


a fair execution of A, then there exists a fair execution a’ of A’ such that beh(a’) = beh(a). 
Corollary 9.2 Let A be an IR system. Then A implements the IRA system corresponding it. 


Proof: This follows immediately from Theorem 9.1. a 


9.2 Proof 


Figure 9 shows the code for UcTss and BcTsS"‘ that uses the invocation and response actions for 
SNAP; and UPDATE;. We call these new I/O Automata ucTss’ and sBcTss’. Since the interface 
provided by [1] uses request and response actions, we can technically only use the SNAP; and 
UPDATE; primitives as is done in ucTss’ and BcTss’. In order to show that ucTss’ and BCTSs’ 
solve CTss will will show that ucTss’ implements UCTss and BCTss’ implements BCTsS. 

We proceed as follows. We show that ucTss’ and scTss’ are IR systems, and then note 


that the IRA systems corresponding to UcTss’ and BCTSS’ are UCTSS and BCTSS respectively. 
P & 


M4ucTss and BCTSS share the code that is relevant to this discussion. 
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SCAN;: 


BEGINSCAN; Eff: 

BEGINSNAP,; Pre: 
Eff: 

EN DSNAP;(4;, 0;) Eff: 

EN DSCAN;(6j, 0;) Pre: 
Eff: 

LABEL: 

BEGINLABEL, (val; ) Eff: 


BEGINUPDATE,((t;, 0), (nt;, val;)) Pre: 


op; «— SCAN; 
pc; — BEGINSNAP; 


pc; = BEGINSNAP; 
pe, — NIL 


If op; = SCAN; then 
6; — the sequence of indexes where 
j appears before k in 0; iff (t;,7) < (tk, k) 
pc; <— ENDSCAN,(Gj, 2; ) 
If op; = LABEL; then 
nt; — NEWLABEL,(t;) 
pe; — BEGINUPDATE;,((t;, %), (nt;, val;)) 


pc; = ENDSCAN,(6;, 0;) 
pe; — NIL 
op; — LABEL, 


pc; — BEGINSNAP; 


pc; = BEGINUPDATE;,((t;, 0;), (nt;, val;)) 


Eff: pe; — NIL; 
ENDUPDATE; Eff: pe; — ENDLABEL, 
ENDLABEL; Pre: pc; = ENDLABEL; 
Eff: pe; — NIL 


GS ne ee et 


Figure 9: Precondition-Effect code for ucTss’ and BcTss’ 
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This will allows us to use Corollary 9.2 to conclude that UCTSs’ implements UCTSS and BCTSS’ 
implements BCTSS. 

Formally, ucTss’ and BcTss’ are a composition of n process I/O Automata {p;...pn} and 
one object I/O Automaton o where p; and o are defined as follows: Each process I/O Au- 
tomaton has two operation types that constitute its interface with the environment, LABEL, 
and SCAN;. The object interface of p; consists of the SNAP; and the UPDATE; operation types. 
These operation types consist of the following external actions: LABEL, consists of the input 
action BEGINLABEL,(val;) and the output action ENDLABEL,;. SCAN, consists of the input ac- 
tion BEGINSCAN, and the output action ENDSCAN,(6;,%;). SNAP; consists of the output action 
BEGINSNAP; and the input action ENDSNAP;,(t;,0;). UPDATE, consists of the output action 
BEGINUPDATE;((t;, v%;), (nt;, val;)) and the input action ENDUPDATE;. There are no internal ac- 
tions. The partition is the same as it was for the ucTss and BCTSs version of p; (see Section 4) 
except that BEGINSNAP,; replaces SNAP,(t;,0;) and BEGINUPDATE,((t;, %), (nti, val;)) replaces 
UPDATE; ((t;, 0;), (nt;, val;)). The steps of p; are determined by the pe; variable, and the states 
and start states are defined as they were for the ucTss and BCTSS version of p;. The object 
I/O Automaton o is the implementation of the snapshot object given in [1]. We do not provide 
the code for o, but present some of its characteristics relevant to our discussion. The interface 
with the processes consists of 2n operations types SNAP; and UPDATE, for 2 € {1...n}. Each 
of theses operation types consists of the following external actions: SNAP; consists of the input 
action BEGINSNAP, and the output action ENDSNAP,(t;, 0;), and UPDATE, consists of the input 
action BEGINUPDATE;,((t;, v;), (nt;, val;)) and the output action ENDUPDATE,. Furthermore, o 


is an atomic I/O Automaton satisfying the SNAPSHOT serial specification. 


Definition 9.7 (SNAPSHOT serial specification) A sequence of operations instances a is in 
SNAPSHOT if and only if the following conditions hold. For any 7, if a SNAP; operation instance 
returns the set of values, #, and labels, ¢, v, and t, are the value and label written by the 
UPDATE, operation instance that immediately proceeds SNAP; in a. If a SNAP; operation in- 
stance is not proceeded by a UPDATE, operation instance, then v, and t, are equal to their 


initial values. | 


Lemma 9.3 ucTss’ and BcTss’ are IR systems. 
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Proof: From [1] we know that the object I/O Automaton of ucTss’ and sBcTss’ is an atomic 
object I/O Automaton that satisfies the SNAPSHOT serial specification given in Definition 9.7. 
So we must show that ucTss’ and BcTss’ are IR-well-formed-preserving and response-live. 

Notice by inspecting the precondition clauses in the code of Figure 9 that for any equiv- 
alence class C; of part(ucTss’) and part(BcTss’), there is always at most one action enabled. 
Furthermore each action remains enabled until it is executed. Consequently, the actions must 
be executed in the sequence in which they are enabled. Furthermore, in a fair execution each 
enabled action will eventually be executed. 

Now consider any fair execution whose behavior has a well-formed-input. Since the object o 
is well-formed-preserving and response-live, inspection of the precondition-effects code in Fig- 
ure 9 shows that the following sequence of actions is executed in response to a BEGINSCAN; input 
action: BEGINSNAP;, ENDSNAP;(t;,0;), and ENDSCAN,(0;,0;). Following a BEGINLABEL,(val;) 
input action, the following sequence of actions is executed: BEGINSNAP;, ENDSNAP,(t;, 0;), 
BEGINUPDATE;,((¢;, vj), (nt;, val;)), ENDUPDATE;, and ENDLABEL;. Finally, no actions of C; are 
enabled between the execution of a ENDSCAN,(0;, 0;) or ENDLABEL, action and the next execu- 
tion of a BEGINSCAN; or BEGINLABEL,(val;) action. Inspection of these action sequences and 
the definitions of [R-well-formed-preserving and response-live, immediately show that ucTss’ 


and BcTss’ are IR-well-formed-preserving and response-live. = 


Now that we have shown that ucTss’ and BcTss’ are IR systems, note that the IRA systems 
corresponding to UcTss’ and BCTSs/ are UCTSS and BCTSS respectively. Specifically, in UCTSS 
and BCTss the BEGINSNAP; and ENDSNAP,(#;,0;) actions of ucTss’ and BcTss’ are replaced 
by the snaP,(t;,0;) action. Similarly, the BEGINUPDATE,((t;, 0;), (nt, val;)) and ENDUPDATE; 


actions are replaced by the UPDATE;((t;, v;), (nt;, val;)) action (see Definition 9.6). 
Theorem 9.4 BcTss’ and ucTssS’ solve CTSS. 


Proof: Using Corollary 9.2 we conclude that BcTss’ implements BCTss and ucTss’ imple- 
ments UCTSS. From Theorem 7.3 we know that BCTSS solves cTss, hence BCTSS’ solves CTSS. 


Similarly, Lemma 4.10 shows that ucTss solves cTss, therefore UCTSS’ solves CTsS. a 
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10 Discussion and Future Work 


Critical to constructing and proving the correctness of our simple bounded timestamping sys- 
tem are the design technique of composition and the analysis techniques provided by the I/O 
Automata Model. 

The composition of the label structure of [11] with the atomic snapshot primitive of [1] 
greatly reduces the complexity of our algorithm relative to [11]. Many possible executions are 
eliminated by the fact that the snapshot primitive returns an instantaneous (in the sense of 
[20]) view of the current labels. Even though the construction of the snapshot primitive is 
complex, its complexity is hidden from the timestamping system. Our simple constructions for 
the multireader multiwriter atomic register and first come first serve mutual exclusion further 
demonstrate the power of using composition to simplify the design and analysis of algorithms. 

Due to the fact that our algorithm uses the snapshot primitive, the complexity of our 
timestamping system is worse by O(,/n) than the most efficient known bounded timestamping 
system [12]. The complexity of our bounded timestamping system is the same as the complexity 
of the underlying snapshot primitive. The complexity of the original construction in [1] was 
O(n”). The best construction currently known has complexity O(n,/n) [3]. In addition to our 
bounded timestamping system, there are several other areas in which the snapshot primitive 
is useful (see [1]). Consequently, improving the complexity of the snapshot primitives would 
provide a significant contribution. Since the SNAP operation must read n registers, Q(n) is a 
lower bound for the SNAP operation. We see no reason why O(n) algorithms for both the SNAP 
and UPDATE operations should not be possible. 

An important feature of the I/O Automata Model is the concept of stepwise refinements 
[29], [21]. Specifically, the I/O Automata Model defines the concept of one I/O Automaton 
implementing another I/O Automaton. Therefore the correctness of complex algorithms can 
be proved by designing a series of algorithms of increasing complexity. The simulation proof 
techniques are used to show that the complex algorithms implement the simpler ones. In this 
way, the complexities of an algorithm are introduced in a stepwise manner. Our use of the simple 
unbounded real number based timestamping specification demonstrates these techniques (see 
[29] for thorough discussion of these issues). 


The use of the I/O Automata Model in our paper suggests several avenues of research for 
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I/O Automata theory. The reader will notice that the I/O Automata section is fairly long since 
it develops several concepts. The need to develop these concepts is due to the fact that the I/O 
Automata Model is much more general than the shared memory system model that is needed 
in this paper. Hence much of the structure of the shared memory model must be developed for 
the I/O Automata Model. A research effort that develops structure for specific system models 
such as the shared memory model and the network model would be an invaluable contribution. 
[15] is a good step in this direction for the shared memory model. 

In recent years, much progress has been made in the area of automatic theorem provers. 
Large parts of our correctness proof, especially the proof for the invariants in Section 6 use an 
extensive, well structured case analysis. Each case is proved by a simple but tedious argument. 
Consequently, we view the correctness proof of our bounded timestamp algorithms as an ideal 
candidate with which to test the effectiveness of automatic theorem provers [6]. In testing a 
theorem prover on our algorithm we hope to determine wether or not I/O Automata proofs 


might in the future utilize theorem provers on a regular basis. 
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